Showing results for 
Search instead for 
Did you mean: 
No ratings
Archer Employee
Archer Employee

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has developed the Cybersecurity Maturity Model Certification (CMMC) framework in concert with U.S. Department of Defense (DoD) stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the Defense Industrial Base (DIB) sector. 

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period. In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter
  • Dynamically enhance DIB cybersecurity to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

With the implementation of CMMC 2.0, the Department is introduced several key changes that build on and refine the original program requirements, including:

  • Streamlined Model
    • Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
    • Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards

  • Reliable Assessments
    • Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
    • Higher accountability: Increases oversight of professional and ethical standards of third-party assessors

  • Flexible Implementation
    • Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
    • Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances



This content is available in English only.


Mappings for the Cybersecurity Maturity Model Certification Framework (CMMC) Authoritative Source Content to the Archer Control Standard Library are available in the authoritative source content pack.

Content Source

The source of this content comes from the Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification website.

Licensing Restrictions

The Cybersecurity Maturity Model Certification Framework (CMMC) authoritative source content is available with the use of the Archer Policy Program Management use case, the Archer IT Policy Program Management use case, and/or the Archer Assessment & Authorization use case. No additional license is required.

For More Information

To learn more about the Cybersecurity Maturity Model Certification Framework (CMMC) Authoritative Source Content:

For Additional Support

To learn more about this content, please contact your Account Rep for additional details. For technical support questions, please open a support case.

Was this article helpful? Yes No
Version history
Last update:
‎2022-06-21 02:29 PM
Updated by: