November 4, 2021
Good afternoon, everyone!
Announcing CMMC 2.0 and The Way Forward
The DoD has just updated its website following completion of its internal review, with proposed changes to the CMMC Model. The final rulemaking is expected to take 9-24 months. Here are some highlights of the proposed changes:
Eliminating levels 2 and 4
Eliminating levels 2 and 4 was expected and changes nothing much for anyone except the person who has to renumber all those practices in the CMMC documents.
Removing CMMC-unique practices
Removing the CMMC-unique practices is kinda sad, really, as there aren’t very many and most of them are actually really good practices and should have been included in NIST 800-171.
Removing all maturity processes
Removing all the maturity processes, however is HUGE! This means a lot less documentation, which was to be a major part of the expense of CMMC ML3. I call this one a win, especially for small contractors.
Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1.
I think this was pretty well expected, even if only for practical reasons: it’s going to be years before the CMMC-AB can produce enough assessors for every contractor subject to ML1. I call this one a win also.
Bifurcating CMMC Level 3 requirements to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation.
This one is interesting and likely to be problematic in the future. Best interpretation is that some contracts will require an official assessment, while some will permit self-assessment. And then there’s flowdown. Will a prime require official assessment for some subs but not others? Who decides? Using what criteria? I predict that this will get complicated.
CMMC Level 5 requirements are still under development
This affects so few companies, hardly anyone cares.
Development of a time-bound and enforceable Plan of Action and Milestone process
Ah, now this is interesting. POAMs will be allowed – but only for certain practices (none of the high-point practices can be on a POAM), and only for a certain time:
"The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.”
This is also pretty big IMO and very reasonable. I’m glad they are taking this step.
Development of a selective, time-bound waiver process, if needed and approved
Don’t get too excited about this one:
"Under CMMC 2.0, the Department intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. Waiver requests will require senior DoD leadership approval and will have a limited duration. The specifics of the waiver requirements will be implemented as part of the rulemaking process."
I can see this being applicable when a big prime needs a very specific part from a sub that isn’t fully compliant yet, and Prime asks for a waiver for this one thing, on this one contract, right now. It’s not going to happen very often.
So, what does this mean to you?
If you don’t handle CUI, you get to self-attest to ML1:
DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
So you still need to actually implement those 17 practices and put that into SPRS (and affirm that it’s accurate). Remember, it’s important to be accurate and truthful when you self attest. There’s still the False Claims Act to consider, in addition to the new initiative by the DOJ to investigate contractors who hide potential data breaches.
If you handle CUI and/or export controlled data, not a lot has changed. The DFARS 7012 clause is still in force, requiring implementation of NIST 800-171 (and a few other things). The interim rules 7019 and 7020 requiring self-assessment of NIST 800-171 also remain in place. Prime contractors will continue to pressure their subs to close those open POAMs and improve their SPRS scores. Changes to CMMC don't affect ITAR/EAR regulations in any way. So you get to ignore those 20 “delta” controls in CMMC ML3 that aren’t in NIST 800-171 (for now! I’m sure they will be added back in at some point, as they are legit security practices) and more importantly the process maturity requirements are going away.
But wait! That doesn’t mean no documentation requirements. NIST 800-171 still requires an SSP, nearly half of the controls require documentation of some sort, including written policies and practices. I expect process maturity will return in a later version of the CMMC, so keep working on that as a part of your implementation of NIST 800-171.