July 13, 2022
Good afternoon, everyone!
A few weeks ago, I spoke at the NCMS National Training Seminar in Minneapolis, and was able to participate in the conference all week. There was a lot of valuable information related to protecting CUI and the upcoming CMMC assessment program. Here’s a quick recap of what I consider truly newsworthy.
And now there are sixteen! The number of authorized C3PAOs has doubled since my last newsletter. Building momentum!
May 2023 is the new target date
Stacy Bostjanick was among the panelists speaking about CMMC, and shared a lot of news.
The timeline for the CMMC rulemaking has been shortened. The DoD now expects the final rule by March 2023, with the CMMC clause appearing in contracts beginning May 2023. If you handle CUI and aren’t already well on your way to full implementation of NIST 800-171, you need to pedal faster!
They’re coming back
The “delta” 20 practices that were removed from CMMC v 1.0 are expected to be included in the upcoming rev 3 of NIST 800-171 (maybe also the maturity processes, and possibly a few more controls from NIST 800-53, from what I’ve heard elsewhere). Ms. Bostjanick stated “Now CMMC is tied to NIST so when that changes, CMMC changes.”
(Of course, the policy and practice document requirements never went away, right? Because you know all about the NFO controls and have already developed these, along with your SSP.)
Did you record a perfect 110 in SPRS?
POAMs are for 1-pointers only
Yes, short-term (180 days) POAMs may be allowed for particular contracts, but we have clear guidance now that none of the high-point controls can be on a POAM at the time of official assessment (the one exception being you may be allowed a POAM for the extra two points of FIPS 140-2 validated encryption). POAMs are no longer the DIB’s “get out of jail free card.” And you still must have a minimum score of 90 to be eligible for certification with POAMs, so you can’t have very many of even the 1-pointers.
The CMMC AB is now the CyberAB
The CMMC Accreditation body has rebranded itself the the Cyber AB, with a new website and new logo.
The time to prepare for official assessment is now.
It's important to remember that the CMMC does NOT represent any new security controls! Literally every single control in CMMC L2 has been required of contractors who handle CUI since 2017. The only thing that has changed is the DoD wants you to prove that you are doing what you have been attesting to for five years.