It seems that we finally have a deadline for those of us who have CMMC requirements for our DoD contracts. Sounds like the deadline at this point will be May 2023, followed by a 60-day public comment period, and requirements ultimately appearing in DoD contracts by July 2023. This means that now is the time to prepare if you haven’t already!

According to the CIO of the U.S. DoD, “The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”

CMMC 1.0 guidelines were originally published in 2020. They outlined a basic framework for DoD contractors to follow and established a 5-year phase in period. After an extensive internal review, DoD refined the policy and released CMMC 2.0, which is designed to:

  • Safeguard sensitive information to enable and protect the warfighter
  • Enforce DIB cybersecurity standards to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Perpetuate a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

The CMMC 2.0 program has now refined the model and added improvements, including:
1.Streamlining the Model

  • Reduces the model from 5 levels to 3 compliance levels
  • Uses National Institute of Standards and Technology (NIST) cybersecurity standards

2.Assessment Needs

  • Reduces assessment costs by allowing all companies at Level 1, as well as a subset of companies at Level 2, to demonstrate compliance through self-assessments
  • Increases oversight of professional and ethical standards of third-party assessors


  • Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
  • Allows the Government to waive inclusion of CMMC requirements under certain limited circumstances


By updating and streamlining the CMMC requirements, the DoD has made it both easier for contractors to understand the guidelines and, in turn, to adhere to the requirements that CMMC 2.0 has set out to define. Because of the due diligence and effort that DoD put into the refinement of CMMC, our governmental supply chain will absolutely be safer in the future.

If your organization needs help preparing for the upcoming CMMC guidelines, Epsilon can help. Message us today to discuss the requirements you need and how to transition in time.