The Evolution of CMMC in 2020-2021

Any company that works with the US Department of Defense handling controlled unclassified information (CUI) now needs to meet CMMC requirements. First announced at the beginning of 2020, CMMC—Cybersecurity Maturity Model Certification—is a unified set of standards that must be adhered to regarding cybersecurity in the defense industrial base (DIB.)

This supply chain includes over 300,000 companies, and CMMC is in place to prevent these companies’ cybersecurity from being compromised and, in turn, endangering the DoD and its confidential information.

What is the timeline of CMMC evolution?


CMMC was first announced back in January of 2020 and was drafted with input from university-affiliated research centers, federally funded research and development centers, and industry experts.

Soon after, the CMMC-Accreditation Body (CMMC-AB) was formed. This group was created in January of 2020 and is a non-profit organization designed to oversee that CMMC is being adhered to correctly. The CMMC-AB takes charge of training certified assessors and consultants, among other responsibilities.

Throughout 2020, the DoD continued to release information regarding CMMC, helping businesses to keep up to date and ensure that they are doing what they should be.

On September the 29, 2020, the Department of Defence created and implemented the DFARS Interim Rule to help protect data within the federal supply chain. This rule mandated that all contractors assess the status of their cybersecurity and report the results to the Department of Defense in order to remain eligible for new contracts. This rule went into effect on November 30 of the same year.

From the 1st of December 2020, all Department of Defense contractors had to show that they are compliant with the appropriate level of maturity certification. Contractors have to submit their NIST SP 800-171 cybersecurity data to the Supplier Performance Risk System,and the data must not be older than three years—not an issue at present, while these assessments are still brand new, but a stipulation that contractors will have to remember a couple years down the line.


CMMC is still being developed as we head further into 2021, and it is set to be a busy year for this. Throughout the first quarter of the year, training has been provided to allow organizations to become certified as assessors.

In quarter two, it is predicted that more rule changes will come into force. The exact details behind this are yet to be disclosed, however.

By the time we go to the summer, it is expected that CMMC efforts will be scaled up as more assessors are trained and available to help out with investigating and certifying organizations.

CMMC Moving Forward

CMMC is very important as it ensures businesses and their networks are all safe from damaging security breaches. The advice and framework from the CMMC can ensure that your company is as protected as possible. It is a good idea to work with experts offering a CMMC consulting service to implement the new strategy correctly.