C3 has merged with Ingalls Read Press Release >>

A brief history of Department of Defense security requirements

Take a journey through the highlights of cybersecurity requirements for the Defense Industrial Base.

As we eagerly (anxiously?) await the release of the CMMC proposed rule, we thought it would be interesting to take a look back at the major milestones that have brought us to this point. When this rule drops, there will be somehow still be organizations taken aback that CMMC is “real”, that it will be enforced, and that it requires substantial work and investment.

Yet, as we outline here, we’ve had 13 years of warning. And while it feels like (and to some extent, this graphic suggests) that CMMC is the culmination of 13 years, the reality is that we’re somewhere in the middle. Threat actors will continue to evolve their techniques, and cybersecurity best practices—and the policies and regulations that enforce them—will need to continue to evolve to keep up.

What do you think this graphic might look like in 5 years? 10? 20?

A Brief History of DoD Security Requirements

Editor’s Note: This graphic was not intended to capture ALL the milestones in DoD cybersecurity requirements, but rather the most meaningful ones!

Get the downloadable version


A brief history of Department of Defense security requirements

Nov 2010: CUI Program Established

Executive Order 13556 establishes federal Controlled Unclassified Information (CUI) program, superseding a 2008 Presidential Memorandum on the designation and sharing of CUl.

Nov 2013: DoD Security Mandate

DFARS rulemaking introduces clause 252.204-7012, requiring “adequate security” and implementation of selected security controls from NIST SP 800-53 to protect Controlled Technical Information.

Jun 2016: Federal Security Mandate

FAR clause 52.204-21, Safeguarding of Contractor Information Systems becomes final, requiring controls outlined in NIST SP 800-171 to protect Federal Contract Information.

Oct 2016: DFARS Security Update

DFARS rulemaking clarifies clause 252.204-7012 and provides contractors until December 31, 2017 to implement specific security requirements comparable to those found in NIST SP 800-171.

Dec 2016: CUI Protection Standard

NIST SP 800-171 (to be known as rev 1), Protecting Controlled Unclassified Information in Nonfederal Systems & Organizations is finalized and published.

Dec 2017: NIST SP 800-171 Deadline

Per the update to DFARS clause 252.204-7012, defense contractors must have NIST SP 800-171 controls implemented.

Jul 2019: Contractors Are Failing

DoD Inspector General reports contractors are broadly failing to implement NIST SP 800-171.

Jan 2020: CMMC 1.0 Released

After being announced in Jun 2019, Cybersecurity Maturity Model Certification (CMMC) version 1.0 is released, with an expectation that all new DoD contracts will eventually include CMMC requirements.

Nov 2020: CMMC & SP 800-171 Requirements

DFARS rulemaking establishes CMMC & NIST SP 800-171 assessment requirements, and establishes a 5-year phase-in period. (clauses 252.204-7019, -7020, -7021)

Mar 2021: DoD Internal Review

DoD conducts internal review of CMMC implementation, informed by more than 850 public comments to the interim rule outlined in CMMC 1.0.

Nov 2021: CMMC 2.0 Announced

The CMMC program structure and requirements are streamlined, updated, refined, and released following the DoD’s internal review.

Dec 2023 (?): (Anticipated) Release of the CMMC Proposed Rule

The Office of Management and Budget releases the proposed rule for CMMC implementation. After the public comment period has closed, the rule will go through a final revision before being finalized and published.