CMMC 2.0 Timeline

Updated 2024 Timeline for Cybersecurity Maturity Model Certification (CMMC)

The cyber threat landscape is evolving at a rapid pace and guarding critical infrastructure and sensitive information against both nation-states and non-state actors has become a top priority for the government. Recent attacks including the SolarWinds supply chain compromise, HAFNIUM exchange vulnerabilities and Log4j exploits have only increased the focus on this issue.

Although there have been many attempts in the past to enforce the adoption of robust cybersecurity measures in the defense industry, they’ve largely failed to deliver the desired results, leaving vital assets exposed and vulnerable.

Now, the Cybersecurity Maturity Model Certification (CMMC) is here to change that, and all contractors working for the Department of Defense (DoD) must familiarize themselves with it and their obligations if they want to continue offering their products and services.

The most important CMMC dates include:

• July-September 2027 (Estimated) – Rollout concludes with CMMC 2.0 requirements now included in all DoD solicitations and contracts.
• July-September 2026 (Estimated) – Third party certification requirements are introduced for the exercise of options to extend existing contracts.
• July-September 2025 (Estimated) – Third party (certification) assessment requirements introduced at Level 2
• January-March 2025 (Estimated) – The CMMC 2.0 rule takes effect requiring self-assessment and attestation for all new contracts. Self-attestation will be replaced by third party (C3PAO) assessment requirements as the assessment ecosystem ramps up.
• January 2024 – December 2024 – DoD review and analysis of comments on 32 CFR CMMC 2.0 rule and release of 48 CFR CMMC 2.0 rule for public comment.

• December 2023 – 32 CFR CMMC 2.0 DFARS rule released for public comment, along with supporting documentation including CMMC 2.0 assessment and scoping guidelines.
• January 2022 – December 2023 – Rulemaking underway while DIB contractors prepare for CMMC 2.0 requirements.
• December 2021 – CMMC v2.0 model documentation and assessment guides released.
• November 2021 – The DoD review of the CMMC program is concluded, CMMC v1.0 is effectively terminated and replaced by CMMC 2.0.
• April 2021 – The first C3PAO’s begin to be assessed against CMMC Level 2 (previously CMMC 1.0 Level 3) by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). C3PAO’s must pass their own Level 2 assessment before being able to conduct assessments themselves.
• January 2020 – The introduction of CMMC Version 1.0.