DFARS 7012 to CMMC and DFARS 7021: An 8 Year Journey. What's Next?
Summit 7's CEO, Scott Edwards, shares about the 8-year journey from DFARS 7012 to CMMC 2.0 and what's next for the Defense Industrial Base. Learn how to prepare for your CMMC assessment.
As we approach the 8-year anniversary of the DFARS 252.204-7012 effective date of October 21, 2016, it’s incredible to look back at the journey we’ve all been on. The publishing of DFARS 252.204-7021 - the CMMC Program Rule (32 CFR) - isn’t the end of the journey, but it certainly is a major milestone for the Defense Industrial Base (DIB).
In 2016, the focus was ensuring compliance with NIST SP 800-171 to protect Controlled Unclassified Information (CUI) and reporting any incidents to the DoD. Summit 7 recognized the importance of this new requirement - the challenge it would pose for the DIB - and we hosted our first public event on DFARS 252.204-7012 requirements in January 2017.
Since then, we’ve watched the landscape change as a dozen DoD Inspector General, Government Accountability Office (GAO), and industry reports were released, highlighting widespread DFARS 7012 non-compliance across the DIB. We have seen incident after incident get reported including major weapon systems, prime contractors, and small sub-contractors. We now have a major research university in the midst of a false claims act suit with DOJ related to their stance with the DFARS 7012 regulatory requirements.
Fast forward to September 2019, and we witnessed the release of CMMC 0.4, just in time for the very first CS2 conference, where we presented and discussed the impact of this new third party assessment and, at the time, the new requirements that would go with it.
CMMC 1.0 came shortly after in January 2020, and by November 2021, we saw the beginning of the CMMC 2.0 process, simplifying the model and removing the extra requirements but solidifying its importance for the defense industry. For the last three years we have been watching, educating and discussing the journey of DFARS 252.204-7021 as it has consistently passed the necessary rulemaking gates in record time.
Throughout this journey, Summit 7 has stood with our customers and provided the best guidance available as we worked to demystify the fog of rulemaking. From DFARS 7012 finalization in 2016 to the countless conversations and engagements we’ve had over the past eight years, we’ve been there, and we are honored that you have allowed us to take this journey with you. Today, as we stand at the finalization of the DFARS 252.204-7021 rule, we will continue to walk with you, side by side. Unfortunately, as an industry, we still have a long way to go.
What’s on the Horizon?
Looking forward, there are several significant developments on the horizon:
- The 48 CFR Rule – the beginning of DoD's phased rollout – will soon be finalized (likely within the next 6 months).
- The FAR CUI Rule, which will provide further guidance on how to handle CUI across federal contracts.
- A potential update to the DFARS 7012 Rule. We’re keeping a close eye on that.
- And even discussions around a new CUI Executive Order.
These additional and updated rules signal that compliance requirements are tightening, not only for the DIB, but for all federal contractors.
There are 80,000 companies that need to achieve CMMC L2 in the next 24-36 months and while many companies have yet to make appreciable progress towards Level 2 (L2) compliance, prime contractors are already including the DFARS 7021 clause in contracts and are moving faster than the government mandates. Based on industry reports and feedback, only 1-2% of affected companies are ready for assessment today. This means the pressure will soon be on, especially as primes continue pushing their subcontractors to meet CMMC requirements sooner than the government’s phased rollout schedule would expect.
Challenges Ahead and How We’re Here to Help
The road ahead will undoubtedly bring resource constraints – on the implementation and support side, as well as for the C3PAOs responsible for conducting CMMC assessments.
At Summit 7, we’ve taken proactive steps to educate and support our customers through these challenges. Since our first CS2 in 2019, we’ve hosted 14 CS2s and posted over 75 educational videos and sessions to YouTube.
Two years ago, we launched the SumIT Up podcast and have since produced around 75 hours of additional educational content on YouTube, all aimed at helping you navigate the evolving landscape of compliance. We know the challenges contractors face are real, but there’s no need to panic.
Start with a plan. If you’re unsure where to begin, our CMMC Pathfinder Tool is designed to help you assess your current standing and develop a clear roadmap to CMMC compliance.
Additionally, you’ll need a team in place to execute on the plan, but you don’t have to go it alone.
Summit 7 has the expertise and relationships to guide you through the entire process—from understanding the rules to achieving certification.
Join Jacob Horne and myself on November 7th as we walk through the CMMC rule. We’ll discuss what it says, what it means for you, and what to expect next.
Register for free here.