Since November 2021, the Cybersecurity Maturity Model Certification (CMMC) has been a hot topic among contactors, suppliers, and cybersecurity experts. The questions range from “What exactly is happening with CMMC” to “Does my organization need to worry about CMMC” along with many others.

The Relationship Between DFARS, NIST, and CMMC

In 2016, the Defense Federal Acquisition Regulation Supplement (DFARS) was updated. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.  In 2019, DFARS was updated again. This update included the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of Defense (DoD) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes

Also in 2019, the CMMC-Accreditation Body (CyberAB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. CMMC-AB released the first draft of CMMC 1.0 in that same year on the credentials required for independent assessors and how to conduct the assessments for DoD contractors.

In November 2021, the DoD paused CMMC 1.0 based on public comments. It began the process of evaluating and and updating the DFARS rules for the independent assessments with the release of CMMC 2.0. CMMC 2.0 covered several critical changes, including the removal of the CMMC maturity processes, alignment to the NIST SP 800-171 security controls for the body of the assessment, and the reduction of CMMC levels from five to three.  Lastly, the governing body was renamed Cyber-AB to reduce confusion between the CMMC requirements of the DoD and the Cyber-AB’s role as certifying organizations and auditors to conduct CMMC assessments.

Keep in mind that none of these events impact the existing requirement under DFARS 252.204-7012, requiring contractors and their sub-contractors handling CUI to ensure they are compliant with the 110 controls and 320 objective statements of the NIST SP 800-171.

The CMMC Journey

Although the proposed rule was published in December of 2023, many questions still remain. These include: 

- How will C3PAO companies meet the demands of all of the Defense Industry Base (DIB) companies needing assessments?

- How will small businesses be able to afford meeting both the NIST SP 800-171 requirements and the third-party assessments along with other facets of the certification process?

- Will contractors be ready for the CMMC assessments and certifications? A surprising number of contractors are not currently compliant with NIST 800-171 rev 2, so making the jump to CMMC will be a shift that will take some time.

If you are a manufacturer working on CMMC/NIST compliance visit our CMMC for Manufacturers page for more resources as well as FAQs. 


On Friday, December 22, CMMC was published as a proposed rule. Comments will be accepted until late February 2024.

Show Policy

New! NIST 800-171 assessment checklist!

Download our CMMC for Manufacturers FAQs


Follow us on LinkedIn

What should you do right now?

In November 2022, Washington Technology published an interview with Robert Metzger, one of the original architects of the 2019 CMMC plan. He was asked, “what should contractors do now with all of the confusion surrounding CMMC?”

Metzger suggests contractors begin assessing their cybersecurity health as it exists now. Whether or not your focus is on a specific certification, cyber-attacks are a reality, so it is important to protect the data of your customers as well as your own. It is a good time to start working on your NIST 800-171 rev 2 compliance.

The world of cybersecurity and the associated certifications is complex and constantly evolving. The CMMC eventual launch and the new NIST SP 800-171r3, both expected in 2024, are such examples.

Smithers, a C3PAO candidate, will soon be able to offer you a letter of conformance to NIST 800-171r2, which will be updated to a CMMC certificate, when it is officially released (requires the client to be under a Smithers continuous assessment program with annual surveillance assessments). Smithers is ready to help navigate these requirements and address your organization specific questions.

If you have questions about your specific organization, please contact us today. 

Latest Resources

See all resources