February 10, 2025
Some vendors believe that the federal requirement to have established the Cybersecurity Maturity Model Certification began in 2016 with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012. However, this requirement started about six years earlier with executive order (EO) 13556.
What is EO 13556? EO 13556 established the Code of Federal Regulations (CFR) Section 32, Part 2002 in 2010, which outlined the Controlled Unclassified Information (CUI) program. This is important because, prior to this EO, the marking of defense information that required safeguarding or dissemination control was completed ad hoc and varied by agency. And while some classified information was already protected under EO 13526 of December 29, 2009, and the Atomic Energy Act, EO 13556 paved the way for consistent marking processes on all CUI. Now, more than 14 years later, the CUI program and the CUI marking process serve as precedent across the federal government and are overseen by the Information Security Oversight Office (ISOO) within the National Archives and Records Administration (NARA).
After the EO 13556 legislation passed, several cybersecurity breaches occurred that caused the Department of Defense (DoD) to examine the role of suppliers and contractors. In 2010, the DoD began to require that contractors contribute to the safeguarding of controlled unclassified information.
In 2011, DFARS case 2011-DO39 outlined the requirements for safeguarding unclassified information — specifically information related to fundamental research. This represented the first proposed DFARS rule 7000, adding a trust-based verification component (versus third party certification) with respect to cybersecurity requirements. On August 8, 2013, DFARS 252.204-7000 went into effect. This required the protection of sensitive data in non-federal systems – meaning that contractors had to protect CUI.
In August 2015, DFARS 252.204-7012 replaced the National Institute of Standards and Technology Special Publication 800-53 (NIST-SP-800-53) guidelines contained with the new NIST-SP-800-171 standard.
Later, “DFARS Case 2013-D018, Defense of Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Service” was published as a draft interim rule with an effective date of October 21, 2016. This notably changed and expanded the parameters of the existing DFARS 252.204-7012 to “include the safeguarding of covered defense information and require contractors to report cyber incidents involving this new class of information as well as any cyber incident that may affect the ability to provide operationally critical support.” DFARS 7008, DFARS 7009, and DFARS 7010 were published in this time to cover cloud computing and other requirements. In November 2016, DFARS rule 252.204-7012 went into effect.
During the implementation period for DFARS 7012, the DoD’s position was that by signing a contract carrying the DFARS 7012 clause, a contractor was self-attesting to the implementation of DFARS 7012 and, by extension, the 110 controls of NIST-SP-800-171. Therefore, as of January 1, 2018, every contractor that wanted to accept work with the DFARS 7012 clause in the contract had to adhere to meeting the 171 baselines.
In 2019, the DoD inspector general reported a lack of compliance within the Defense Industrial Base (DIB)
In 2020, Section 1648 of the National Defense Authorization Act (NDAA) required the Secretary of Defense to develop a framework to enhance cybersecurity of the DIB no later than February 1, 2020.
From 2020 to today, the CMMC program has evolved a couple of times to arrive at the current 3 level model. For more information, please visit the DoD Chief Information Officer‘s website, About CMMC or visit Project Spectrum
