CMMCDocs.comAs 2023 draws to a close, the CMMC program has made significant progress despite not yet reaching the finish line. Here is a comprehensive timeline of the major developments this year and what they signal for the defense industrial base.
Q1 2023: Groundwork
The year began with the DoD continuing internal development of the CMMC 2.0 proposed rule (32 CFR Part 170). The Cyber AB (formerly the CMMC Accreditation Body) continued accrediting C3PAOs and training assessors, building the ecosystem needed to conduct assessments once the rule goes live. Several C3PAOs completed their own CMMC assessments, establishing the first wave of authorized assessment organizations.
Q2 2023: NIST SP 800-171 Rev 3 Draft
In May, NIST released the initial public draft of SP 800-171 Revision 3, signaling the eventual evolution of the CMMC baseline. While CMMC 2.0 will initially use Rev 2, the publication of Rev 3 started important conversations about the transition timeline. The comment period generated significant industry feedback, particularly around the increased control count and structural changes.
Q3 2023: Industry Preparation
The third quarter saw an acceleration in industry preparation. Major prime contractors began flowing CMMC-related requirements down to subcontractors with increasing urgency. The managed security service provider (MSSP) and compliance consulting markets expanded rapidly, with new entrants competing for DIB customers. CUI scoping and boundary definition emerged as the most challenging preliminary step for most contractors.
Q4 2023: Proposed Rule Anticipation
By the fourth quarter, the defense community was anticipating the publication of the proposed rule. The DoD had submitted the proposed rule to the Office of Information and Regulatory Affairs (OIRA) for review — a standard step before publication in the Federal Register. Industry analysts predicted a Q1 or Q2 2024 publication date.
Key Themes
Several themes defined 2023. First, the gap between contractors who started preparing early and those who have not widened considerably. Early movers have SSPs, evidence collection processes, and SPRS scores that reflect real implementation. Late movers are still figuring out what CUI they handle.
Second, the C3PAO ecosystem continued to mature but remains small. The number of accredited C3PAOs is not yet sufficient to assess the entire DIB, which will create scheduling pressure once assessments become mandatory.
Third, the cost conversation intensified. Small businesses expressed concern about the financial burden of compliance, particularly the cost of third-party assessments, cloud migrations to GCC High environments, and the professional services needed to build compliant programs.
Looking Ahead to 2024
The proposed rule is expected to publish in early 2024, followed by a public comment period. The final rule and phased implementation will follow. Contractors who have not started preparing should begin immediately — the timeline from zero to assessment-ready is typically 12 to 18 months.