CMMC Timeline Refresher

After four years of rulemaking here we are at the last podcast before the official start of CMMC phase 1. […]

After four years of rulemaking here we are at the last podcast before the official start of CMMC phase 1. What better way to usher in the new normal of CMMC than a quick refresher on how and why CMMC became a thing in the first place? Nothing helps contextualize the CMMC program like remembering how resistant the DoD has been to third party verification until they were left with no other choice.


Transcript

 

[Music] All right, folks. It’s November of 2025, the beginning of November of 2025. This is the last podcast before the start of the CMMC phased rollout. After all of this time, we are now less than a week away from the beginning of CMMC phase 1, at which point all new DoD solicitations and contracts will have some level of CMMC requirements in them forever. It will be a new world that we all wake up in on November 10th.

Just the other day, I was in DC at an event with one of our partners, A-ine. It was an awesome event and I was running through a very brief timeline of the big uh events that have happened leading up to CMMC since 2013. And a lot of people in the audience were looking at me like I was speaking Greek and they hadn’t heard these things before.

And I was thinking about it. We haven’t really done a review of the timeline in quite a while. So this week we’re going to talk about all the things that have happened since 2013 in a very a bridged form. Get everybody on the same page before we all uh fly off the end of the bridge on the bus that can’t go less than 50 miles per hour at the start of phase one here.

So, if you don’t get the movie reference, ask your parents, kids. That’s what we’re going to talk about this week.

Yeah. I mean it makes sense that there is like when you start talking about like the deep history of how the programming or why the programming exists and things that have happened in the past that some of the people you may be talking to in audiences now aren’t familiar with it because now people are just starting to take it seriously.

You know like there’s it comes in layers right the the interest uh in the program has come in layers based on the the pre-adopters and then the people that are now being forced to adopt it because it’s going to be applicable requirements there are finalized rules so you’re getting the fresh batch of the new audience of Minds to Educate. So, we start this circle of life again, I guess.

Yeah. I mean, there are people in the audience who don’t know who Katie Arrington is or who she was. Uh they’re making six, seven jokes. And so, I’m like, okay, whatever. We’re just going to start over from the beginning and we’ll get everybody caught up here.

So, we’ll do the very brief version. We’ll link to the history of CMMC video that we did all the way back in 2021, which is crazy to think about if you want more of the details, but we’ll just jump right into it and uh we can go from there.

Okay, so DAR’s clause 252204712, the center of gravity for cyber requirements for defense contractors that all of this other stuff orbits around. We did an entire podcast explaining DFAR712 and the other DAR’s cyber clauses in what we call the DFAR cyber series. So check those out uh below if you want to get familiar with the nitty-gritty details of the clause.

That clause was created for the first time in 2013. So a couple things here. First of all, before 2013, defense contractors didn’t have any explicit cyber security requirements in their contracts at all, which is kind of insane to think about, right?

Uh, and so it wasn’t until 2013 that there was an actual contract clause that said when you handle our data, you have to do cyber security requirements and you have to do these cyber security requirements specifically. A lot of people think that DR712 was created in 2016. It’s not true. Uh, it was created in 2013.

An interesting note about the 2013 rule is that 8171 didn’t exist yet. At the time, NAR was still in the middle of trying to create the federal CUI program. One of the tenants of the federal CUI program was a standardized set, a standard baseline of cyber security requirements across the federal government and across the federal government for their suppliers and contractors.

So at the time in 2013, the DoD pulled cyber security controls from NIS SP853 because that’s the standardized catalog where you would get security controls from. So if you’re watching the video, you can see uh the table that is in the 2013 rule where they lay out 59 controls from 853.

Uh you’ll uh be happy to know that many of these controls are still in the baseline that contractors have to this day because the requirements in NIST SP800171 are derived from controls in NIST SP853. So many of the things that people are being asked to prove they have implemented today are literally the same requirements they’ve had since 2013.

Uh which is a fun little factoid that uh people don’t they’re not always familiar with.

Yeah. So 2013, let’s just take a stab at trying to get this moving, trying to protect this data. Let’s pull out these things. And like many things, not great at the original onset and it’s improved over time, right? That’s there’s some good stuff. There’s some stuff in there that you don’t need.

There’s not a lot of controls. 59 controls is not a lot. Uh but like I said, there’s some evergreen stuff in there, right? Least privilege has been least privilege. You know, things like that have been the same concept for 30 years now, right?

So, they’re they’re not really going to change a lot in terms of what they’re asking for, but those requirements existed in 2013. DAR 712 was created in 2013. Uh, this goes back a lot farther than people think.

It certainly goes back farther than 2020 when a lot of people heard about cyber requirements and contracts for the first time when CMC 1.0 was announced.

But the thing to know here is that there was no verification mechanism. They put this clause into people’s contracts and they never asked for proof that any of these things were being done. Right. Interesting.

Which is a a common theme over the years of uh the government being very naive about uh whether people would be doing these things. There is no audit mechanism, third party verification, explicit requirement to prove that you’re doing this before you get the control data, which is a fatal flaw that the DoD is going to be uh trying to deal with uh in subsequent revisions up until we get to November 10th of 2025, 12 years later.

So anyways, we got this clause in 2013. It’s in people’s contracts. By virtue of accepting the contract clause and getting the work, you are telling the government that you are implementing these requirements. Government doesn’t ask, people don’t tell. Everybody goes about their business.

Everybody lives happily ever after until 2015, a couple years later, when the Office of Personnel Management experienced one of the largest uh comp well at the time, the largest compromise of the federal government’s information systems in history. Right?

This would be rivaled only by like Solar Winds uh couple years ago, right? But at the time, this this was it. This was the biggest one ever.

Uh this was part of a larger campaign by the Chinese Ministry of State Security to compromise, I think it was the STAR group of hotels, uh some health insurance companies for their data, and the OPM database of folks with clearances.

With those three data sets, they were able to triangulate the identities of spy, American spies in mainland China. Uh, which is pretty incredible.

A lot of people listening to this, basically every audience I’ve ever told this story to still has identity monitoring like to this day because of the fact that OPM got whacked.

That was a big problem because the requirements that are in contracts for people running cloud systems and dealing with sensitive but unclassified information like clearance data weren’t really covered very well with that 2013 contract clause.

Uh this was so uh effective that the director of national security at the time, James Clapper, basically gave the Chinese their props being like that was pretty legit. If we would have had the opportunity to do that, we would have 100% done the same thing.

Uh so, you know, uh game game game respects game, you know what I mean?

So, uh the OPM thing was 100% real and it triggered a you know, a panic response essentially uh with revising cyber requirements for defense contractors.

But that isn’t that that’s the the norm, right? The way that the the government works, especially when it comes to cyber, is it has to be a major event for them to react to to show that we’re doing something.

Even the 2013 rule was not something the DoD just woke up one day and thought, “Boy, that would sure would be cool if we did that.” It was triggered by a series of, you know, uh, system compromises back in like 2010, slightly earlier. It’s always in response to something bad happening.

Yeah. Use the football analogy, the defensive coordinator goes out, team gives up 500 yards and loses by 30. He’s like, “Yeah, we need to focus on covering or press coverage or whatever it is.” I mean, that’s exactly what this is.

But you, it was very comp or it was very impressive and give credit where credit’s due, but what improvements happened, right? Like Yeah.

So, we had the 2013 clause, massive compromise in 2015. And so people are basically like, what can we do here? Like what tools do we have? What do we need to do to do something, right? Somebody do something.

So after the 2015 compromise, there’s an interim final rule that revises DAR’s clause 252204712. And remember, if you’ve been listening to the podcast for a while, interim rules are a big deal because they don’t go through the normal rulemaking process where they propose changes to regulations, they get public comments, then they revise things based off those public comments, then they publish a final rule, and then the rule goes into effect, right?

They just issue a regulation without any public comment whatsoever and it immediately goes into effect. So those are very rare. They’re very difficult to get approved.

But this was after a massive national security incident. And so they get approval for an interim final rule and they revise def clause 7012 to now include cloud security requirements uh which is where we get fed rate moderate equivalency and all these sorts of ideas.

They also revised it to point to the requirements in NIST SP800171 rather than a selected set of controls from NIST SP853 because by this time NAR had started to get their hands around uh what the federal CUI program was going to be.

And so they replaced that original table of requirements from the 2013 clause with the requirements in 8001 171 in the 2015 clause.

Uh interesting note here. This is not uh this is not this says this rule in 2015 doesn’t say anything about December 31st, 2017.

The deadline to implement NIS SP8001 171 was December 31st of 2017, right? I mean, that’s what everybody that’s what that’s what we all learn in school and we’re going through CCP and CCA and all that other stuff.

This rule in 2015 doesn’t say that, right? The original deadline to comply with the version of DAR 712 that we know today was uh August 26th of 2015 when this interim rule came out.

So where did we get obviously, you know, we just had this massive OPM hack and this massive emergency. They’re not going to give you two years to implement requirements that they need to stem the bleeding on right now.

So how did this happen? And how did we go from, oh my god, revise the rule right now, everybody implement things right now to a deadline for implementation in December of 2017 later on?

It’s it’s got to it’s got to be over it just seems like seems like oversight, right? Like you don’t realize that you have to think about something until a problem arises. You have to think about something.

It seems like it’s reactionary again. Like it seems like that the rule went into place and they were like, “Oh, this might have been a bad idea to start this all at once.”

Well, so the thing was was the industry uh freaked out, right? They freaked out. They were like, “Oh my god, we have new requirements. We got this immediate deadline. We need more time. We need more time.”

And so they petitioned and sent in comments on this interim final rule to DoD that said, “We need more time to implement things.”

Interesting note, even though you had 59 controls in 2013 and now you have 110 requirements in 2015, the actual amount of stuff to do under the hood is less in 800171 than it was in 2013 because all the assessment objectives that you have to cover for those 59 controls in 2013 are way bigger than the 320 assessment objectives that you have in 8171.

So even though you have fewer things to do, two years after Dar712 was created, industry went to DoD and said, “We need more time.” Sound familiar?

And so they had a meeting. They had a public meeting in December of 2015. It’s public record. Uh I have never met anybody who was at that meeting, but they said they had almost a hundred people or 100 companies represented at this meeting in 2015.

And they decided that they were going to issue an update to the 2015 rule. It came out in October of 2016. And this rule said you have until December 31st of 2017 to implement these requirements.

So on the heels of a national security emergency, we get a rule in 2013 that says here are your requirements. On the heels of another national security emergency two years later, they say here’s a smaller set of requirements, but do them immediately.

And everybody said no, we need more time. So then they say okay you get 14 months after waiting a year uh to implement these requirements.

Now you have to have all the requirements implemented. Uh and then that’s the version of DAR 712 that we know and love today.

It hasn’t changed since this 2016 deadline to uh comply with that version of DAR 712.

So there was a huge extension of time granted to industry from the DoD to comply with the same version of the clause that we have as we’re talking right now with the same set of NIS requirements that they’ve had as we’re talking right now.

Nothing has changed since that point.

There was a huge extension of time granted to industry from the DoD to comply with the same version of the clause that we have as we’re talking right now with the same set of NIS requirements that they’ve had as we’re talking right now. Nothing has changed since that point.

So after this clause came out—oh, what’s up? Oh, no. I was just going to say the one thing to point out there is that the extension was granted because there was a justifiable reason even though it was less to do, right? Like than the 53 controls when they issued the 171 controls. Even though it was less to do there, it still was a change in format from this framework to this framework.

Yeah. I mean, so you can see that argument coming in. Now when you say when you say I have these new requirements technically you’re saying for 12 years right these requirements, right? It’s not—right, the requirements, the requirements haven’t changed.

Yeah so even the requirements are smaller and a bunch of the requirements are derived from the things you were already doing, everybody came back and said we need a lot of more time and the DoD was like okay so how about an extra, you know, by the time they were able to get the update to the rule out it had been over a year and then they gave people another 14 months.

How do you think that those 53 controls would have turned out if that’s what they would have stuck with? Like if here we are 12 years later and that set of 53 controls and people are like got to implement this and they’re trying to depict 53 instead of 171 which is child’s play in comparison.

I mean yeah so you know we’ve got these extensions and we’ve got a step down from the 2013 baseline. You know either way the takeaway for this one is there still isn’t a mechanism for verification. There still isn’t a third-party audit mechanism which you would have thought that the DoD would have, you know, the light bulb would have been off because you had the requirements in 2013.

Then you demand that everybody implements a smaller set of requirements. They all told you they weren’t doing it. So maybe they would have been like, geez, we should probably, you know, have people prove it. But then in 2018, NIST, NAR, DoD all get together where they have this big industry day, set of presentations on the revised DFR712 and the federal CUI program.

And this is sort of the height of NAR’s power at the time, which we’ve done episodes after people have left NAR and then retired from the government about how much they hated this process, which is all very interesting information. If you’re interested, we’ll link it below.

But someone in the audience, and I they didn’t say their name in the recordings. I wish I knew who this person was. Someone in the audience in 2018 was like, “This all sounds great, but there’s no requirement to prove that anyone’s doing this. Like, aren’t you going to ask people to prove that they’re doing this?”

And the DoD and NAR were very adamant that they did not want to have a verification mechanism whatsoever. Gus Gasani, one of the authors of NIST SP8171, he’s been there. He was the guy who started the rulemaking process in 2010 that gave us DAR712 in 2013. He still works in the DoD to this day. This is the OG Gandalf of this entire world.

And he was very colorful in his language which I had to censor on this quote where he’s like the department does not want to have a cottage industry of nonvalue added bleep. We had experience with third-party assessments before and it has not worked out well. That was his response to the question when Devin Casey, friend of the show, said he was the guy who wrote the 2016 NAR CUI rules.

This was the guy at NAR. He said that we don’t want to have third-party audits for 800171 as a general rate, policy across the government, not just for DoD. Uh because the businesses have the cyber security knowledge and the ability to protect their proprietary information because they’ve already been doing so for years.

Whoops. Sorry Devin, you missed on that one. Holy airball, as the kids might say. They said, “We don’t want to introduce a middleman certification between industry and the government about compliance where it’s not absolutely necessary.”

So after 2013 and they know people weren’t doing it and after an emergency and then people ask for more time now five years later they go we do not want to have third-party assessments unless it’s absolutely necessary.

So kids at home do you know what happened after this? Well this is hold on this is three years after the biggest breach of like the OPM breach and all that and they’re still saying we still feel as though they are adequately protecting this. We don’t need third-party verification.

Right. And they even there’s even another session I don’t have the quotes up here. There’s another session where they’re talking about FedRamp equivalency where they basically said this OPM hack was a direct result of people putting sensitive data in the cloud without any controls whatsoever.

But we don’t want to cut industry out of using cloud-based services. So if you’re going to put our data in the cloud, this clause is telling you that it has to be at least equivalent to FedRamp moderate. So Pinky promised that you’re going to put it into something that has some controls around it.

And as we all know, that definitely didn’t happen. So they go through this whole rigmarole, rulemaking, extensions, blah blah blah. We absolutely do not under any circumstances want third-party assessments unless it’s absolutely necessary.

And sure enough, a couple years later, another massive national security emergency directly stemming from the compromise of contractors’ unclassified systems. This time it was primarily in addition to F-35 and F-22, the Sea Dragon program.

The Sea Dragon program is a submarine-launched hypersonic anti-ship missile. And the Chinese Navy has the largest submarine fleet on the planet because when they try to take over Taiwan, the only way that the United States is going to be able to prevent that is with a carrier strike group.

And if you have a bunch of submarines with anti-ship hypersonic submarine-launched missiles, you can’t get the strike group close enough to Taiwan to keep them from taking over the chip factories. So, we lose. Which means that the government was ultra pissed when they found out that this super important program got handed to the exact set of people that we do not want to have this capability.

So, the best summary of the tone and the attitude of the government towards this discovery came from a 2019 interview with Major General Murphy. This was the guy appointed directly by, at the time, Secretary of Defense Mattis to be in charge of what was known as the Protecting Critical Technology Task Force.

Sea Dragon gets whacked. SECDEF says, “You’re in charge of figuring out how to prevent this from ever happening again.” He goes out and gives an exclusive interview with Breaking Defense. And this dude was not playing around. He was not mincing words.

He was basically like, “If you don’t do these requirements, we don’t want to do business with you. If you want to be a liability to the lethality of the joint force, get out. We’re going to take your house. We’re going to take your kids. We’re going to take your contracts. You’re not working with us anymore. Period.”

Because we have been set back massively from a strategic perspective directly as a result of this compromise that could have been mitigated maybe entirely if you had just been doing the basic cybersecurity requirements that have been in the contracts for years that you said you were doing. Right?

So, they were justifiably and understandably extremely angry. If you’re watching the video, you can see some of the quotes that I pulled out of the interview. Definitely check it out. I’ll link it in the show notes below.

A lot of people at this time associated Katie Arrington with being a crazy person because she was going out at events talking like this, getting in people’s faces and getting super pissed, and people really didn’t like it. I tell people all the time, she was mimicking what the Protecting Critical Technology Task Force and Secretary Mattis were saying on the inside. It’s just that they weren’t the ones out in public saying it.

So, everybody associated it with this “crazy lady.” And it was not just her, right? It was the entire DoD up in arms over the fact that this happened.

Yeah. It’s the loss of something very critical from the defense sector because people weren’t doing what they said they were doing, but we were paying them to do.

No wonder people had the perspective in which they had. It’s weird to see people say that, “This is too difficult and this is going to limit the barrier of entry for organizations to come in,” when six years ago, the person in charge of their task force was pushing this even harder, saying that if this isn’t what you want to do, we don’t want to do business with you.

Yeah. His line right here says, “I would rather have this be a conversation than an explicit direction.” But as unfortunately we’ve seen over the years, if there’s no repercussions to not having security, there’s no incentive to have it, which is exactly what I’ve been telling people for years: if there’s no consequences, people don’t do the requirements.

It’s been proven over and over and over again. The DoD knows it. Everybody else knows it. You talk to people all the time. No judgment. They’re like, “Yeah, when it’s in my contract, then I’ll worry about it.” It’s exactly what he’s talking about in this interview in 2019. This goes back years and years and years.

So, there’s an IG report that looks into contractors and whether or not they have implemented these requirements directly as a result of the Sea Dragon compromise. The IG report is really bad. They find out that not only were contractors not implementing their requirements, contracting officers never once asked contractors whether they were implementing the requirements because there was no incentive or consequence for them to do it.

There was no incentive or consequence for the contractors to do it. So no one’s paying attention, and then the department and the program and the American taxpayer get totally screwed.

Right. So, the Senate Armed Services Committee hears about what happened, obviously. They read the IG report, obviously. And then in the FY20 NDAA, they put in an explicit provision that says you are going to create a framework that is going to hold contractors accountable and make them prove that they are implementing the requirements that are in their contracts.

They had a report that accompanied the FY20 NDAA where they just talked about this one issue. They said, “We believe that the prime contractors need to be held responsible and accountable for securing Department of Defense technology and sensitive information.”

And this is an important first step. This is not the end goal. This is the first step toward cleaning up cybersecurity in the supply chain, which is helpful to remember in the grand scheme of things. We just talked about changes to the CARRP system on the podcast a little while ago. It’s just the first step, right?

Is it the first step though? Well, we’ve had some other steps. At the time, this was intended to be the first step, but either way.

So, in the FY20 NDAA, section 1648 is the explicit provision that says you will create a framework to make contractors prove that they are doing their cyber requirements. Which is why when you read the CMMC final rules at 32 CFR and 48 CFR under the very top, under legal justification, it lists section 1648 FY20 NDAA.

The government, the DoD made the rules because Congress told them to, right? And Congress told them to because the DoD, the taxpayer, and American national security took a massive hit in 2017–2018 with Sea Dragon.

So every time over the years people have said, “Well, certainly Congress is going to annihilate or nuke CMMC from space,” you’re like, “Please scroll back to chapter one and read the legal justification for where this came from.”

Congress is the one who asked for it. So no, Congress is not going to turn around and say, “We don’t need that.” Especially when most of the people on the Senate Armed Services Committee are still on the Armed Services Committee that were serving back when they wrote this legislation. No chance. Fun fact, right?

So this is why I always have this quote that we’ve put out here for years where I’m saying CMMC is different from the requirements that it’s verifying because everybody heard about this in 2020 for the first time and so they said, “CMMC is making me do the requirements.” You’re like, no, no, no. It’s making sure you did the requirements, right?

It stems from Congress asking for proof that companies are implementing the things already in their contracts. It’s not making you do anything new. It’s making sure that you did those things.

I don’t know if you’ve technically done this right. If you put a slide where you quote yourself, don’t you just say it? And then you technically, like, like I’ve never seen this happen before.

Yeah, I know. Listen, at that point aside, November 7th, 2024, I can swear that I’ve heard you say that before then. We’ve known each other quite a long time. Yeah. This has been the line. This has been your go-to line. And people are like, “I still don’t get what you mean.” Six years ago, seven years.

Yeah. I mean, this is the thing. It is a program that verifies requirements. It’s not the thing that imposes the requirements, which is why people can often see me having a complete meltdown on LinkedIn every few weeks when people go, “The CMMC requirements cost me $150,000.”

It’s not correct. CMMC is the cost of your assessment. You folks on LinkedIn have got this man quoting himself. Quoting myself. My hair fell out. Thanks a lot. Thanks a lot everybody.

So that’s what that’s where it all came from, right? So then, sure enough, in 2020 we get the CMMC 1.0 rule. It’s an interim final rule. So now we have had two interim final rules in a row because this is such a dire situation, right? So clearly, people outside of the DoD, outside of the Senate Armed Services Committee, people at OMB who are very detached from these issues, have viewed this situation and been like, “This is a national security problem, have another interim final rule,” which is crazy to say that we’ve had two interim final rules to fix the same problem.

It gives you an idea of the gravity of the situation at the time. It is not easy to get interim final rules. Unfortunately, this interim final rule came out right at the end of the first—this came out in 2020.

And as we all know what happens—everybody. We were just talking about this in January. This is what everybody was saying on LinkedIn. When there’s a new administration, there’s going to be what? There’s going to be a freeze on rulemaking, and there’s going to be a review of programs, and there’s going to be a change in priorities, and there’s going to be a change in personnel, and CMMC is going to be doomed, right?

Well, nobody was saying that in 2021. We all said it this year because we felt like CMMC was going to be a real thing. But it happens under every administration.

So, we go through all of 2021 and we don’t hear anything. Katie Arrington gets run out of town, as many political appointees do when administrations change. They’re doing a review of the program for nine months, as many controversial programs do.

But remember, we’ve had two interim final rules in a row. We know contractors aren’t doing the requirements. We know contracting officers aren’t asking for proof of the requirements. Congress is pissed. DoD is pissed. It’s a very clear-cut situation.

At the end of 2021, the DoD comes out and says, “We got a great idea. We’re going to do CMMC 2.0 and we’re going to do more rulemaking.”

Couple things. One, this is the point in time where people turn their brains off and say, “CMMC isn’t happening because the DoD said it’s going to take us up to two years for us to complete new rulemaking.” They were like, “It got delayed. It’s another two years. It’s never going to happen.”

The trick was that when they said they were going to do an additional rule, rather than just a 48 CFR rule, they were going to do a 32 CFR rule. That’s when I read this at the time, like everybody else, and thought, “Oh, it’s over.” The government is not going to undertake the bureaucratic cost of modifying Title 32 of the Code of Federal Regulations unless they actually care about this situation.

And this was a new administration. Politically, this is not a political show, but politically a diametrically opposed administration from the previous one. And they picked up this program, which was deeply unpopular, and doubled down on it and said, “We’re going to do a second rule.”

At that point I was like, batten down the hatches everybody, because it might be 9 months, it might be 24 months, it might be 36 months, but it’s going to happen. You don’t commit to this arduous rulemaking process unless you’re super serious about this being a real thing.

But as we all know, when people heard that there was a delay, when they heard that there was going to be rulemaking, whatever that is, and it’s going to be two years, people stopped worrying about it. The DoD stopped talking about it. Katie Arrington went away. Major General Murphy retired. Secretary Mattis is no longer in the government. It just wasn’t a thing they were getting in people’s faces about anymore.

Well, I mean, you said a majority of the people in those subcommittees that were pushing this back in the day are still existent on the same subcommittees, right? So those were the voices in the back end that were pushing it. There was just no publicly facing voice pushing it.

Yeah. At the time, a lot of people will remember there was another head fake that happened because they said, “We’re going to do this rulemaking and we think that it’s going to go into contracts in the spring of 2023.” Right? Stacy was out there saying it, Buddy De’s was out there saying it, John Ellis was out there saying it. Everybody in the government was saying, “We’re going to get an interim final rule. It’s going to be in contracts in spring 2023.”

Which would make sense, because we got an interim final rule in 2015, an interim final rule in 2020. The problem is still not fixed. So we would get an interim final rule to finally get this thing up and running, right? We wouldn’t possibly—the national security situation hasn’t been fixed. If anything, it’s only gotten worse since those interim final rules.

The DoD was expecting an interim final rule, and for reasons that I have still not been able to find out for sure—but at this point I can only blame actual politics—OMB decided that this 32 CFR rule did not merit interim final status. It was going to have to go through the standard rulemaking process of proposed, comments, final, and then effective.

At which point there was this long delay in 2023. Instead of going into effect as an interim final rule in spring, we didn’t get the proposed rule until December of 2023. That’s when people were like, “It’s definitely not happening,” right? Because you were told it’s a big deal, and then suddenly it wasn’t. What person paying attention to this to any degree would take this seriously when they heard that? Clearly, you wouldn’t. I can’t blame anybody for thinking this isn’t going to happen.

But then it’s the creation of a new program. At some point, the arguing back and forth makes sense and people are like, “You’re right. We should change that.” Meanwhile, this is just the program to prove that you’re doing the requirements. The requirements are still in DFAR 712 this entire time. Nobody’s implementing the requirements. People are uploading SPRS scores all this time. DIBCAC is going around spot-checking people, and as they’ve told us in their presentations, every time DIBCAC would show up to do an assessment of somebody with a perfect score, the score would be off by like a hundred points.

Then DoD can see people’s POA&M dates in SPRS, and people would put in meme dates. They would put in that they were going to finish their POA&M in the year 2100. They were going to finish in 2399, as if DoD can’t see what they’re putting in SPRS. So take all the anger DoD had prior to this happening, and then people are just trolling them in SPRS. They’ve got results from DIBCAC audits. They clearly want the interim final rule, and DoD—the customer—wants this interim final rule. And they get denied by OMB, ultimately, as far as I can tell. That was just politics for whatever reason.

But it set the program back. We didn’t get the proposed rule until the end of 2023. We got the final 32 CFR rule in October of 2024. It went into effect in December of 2024. That was the start of what we called the market rollout. People could go get their official CMMC assessments years after the Senate Armed Services Committee asked for this thing to happen.

But DoD wasn’t able to require it in contracts yet, because you had to have the updated 48 CFR rule to update the clause language for DFAR 252204-7012 to say you need this CMMC status level. We got that final rule in September of 2025. And now, on November 10th, 2025, we will finally see the first set of official CMMC status requirements in contracts—years after the 2020 rule came out, years after the Sea Dragon compromise, years after the 2016 revision resulting from the OPM hack, and over 10 years after DFAR 712 was originally created in 2013.

That’s why the CMMC program exists. That’s why it hasn’t gotten derailed. It has transcended multiple administrations. It has stemmed from Congress. It has transcended multiple Secretaries of Defense. It is the real deal. It is the thing that the DoD cares about.

So, if you’ve only been hearing about CMMC and you think it’s a new thing in 2025 or 2026, it’s not true. If you think it just popped out of nowhere in 2020, it’s not true. A lot of the rumors about it potentially going away or getting modified or changed are easily refuted if you just know a little bit about the backstory of how we got here.

There you go. That’s the story up until now. I still am slightly afraid that I’m going to go to sleep on November 9th and wake up, and it’s going to be November 9th again and we’re never going to get to November 10th.

Who knows? After November 10th, the timeline isn’t going to end. We’ve still got 32 CFR revisions in the future under CMMC 3.0 and 4.0. We’ve got NIST SP 800-171 Rev 3, Rev 4, Rev 5. We’ve got 8172 Rev 3, Rev 4, Rev 5. And who knows what other cybersecurity requirements are going to be included. DFAR 712 revisions are eventually on the docket. All these things will continue to expand. All these things will continue to change via rulemaking.

But there will no longer be this long slog in purgatory of waiting for DoD to be allowed to have it in contracts because they’ve been more than justified in needing it in contracts for a long time now.

So, there you go. Tell your friends—that’s the story. Maybe we’ll recap every year on November 10th, like Christmas carols, and remember the history of how we got here. Gather around, kids. Let me tell you the story.

All right. This is the last podcast before the phased rollout. After this, it’ll be a post-phased rollout podcast. Nothing’s really going to be all that different; we’re still going to be doing our thing. But it’s kind of symbolic. We’ve been trying to raise awareness about this problem to anybody who would listen before CMMC was ever a contract requirement.

It’s kind of crazy to think we’ve been doing this show for years now, and now here we are. Let’s see what happens. All righty. We’ll see you guys on the other side. We’ll see you next week.

[Music]

 

 

 

 

Contact

Speak With Our Team

Scroll to Top