In November 2021, the DoD announced CMMC 2.0, a framework that requires DoD contractors to undergo cybersecurity assessments based on the criticality of the DoD information that the contractors will maintain on their systems. Contractors that will maintain controlled unclassified information critical to national security must undergo a CMMC Level 2 assessment to verify their compliance with 110 cybersecurity requirements outlined in Federal guidance. The Level 2 assessments are performed by a CMMC third‑party assessment organization (C3PAO) before contract award. The C3PAOs must successfully complete a series of 12 requirements before they can be authorized to perform the Level 2 assessments. In November 2020, the DoD issued a no‑cost contract to the CMMC Accreditation Body (AB) to manage the C3PAO authorization process and ensure that candidate C3PAOs meet the 12 requirements. On October 15, 2024, the DoD Chief Information Officer (CIO) published the final rule which established CMMC as a program effective on December 16, 2024.