CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

July 13, 2022

Good afternoon, everyone!

A few weeks ago, I spoke at the NCMS National Training Seminar in Minneapolis, and was able to participate in the conference all week. There was a lot of valuable information related to protecting CUI and the upcoming CMMC assessment program. Here’s a quick recap of what I consider truly newsworthy.

And now there are sixteen! The number of authorized C3PAOs has doubled since my last newsletter. Building momentum!

May 2023 is the new target date

Stacy Bostjanick was among the panelists speaking about CMMC, and shared a lot of news.

The timeline for the CMMC rulemaking has been shortened. The DoD now expects the final rule by March 2023, with the CMMC clause appearing in contracts beginning May 2023. If you handle CUI and aren’t already well on your way to full implementation of NIST 800-171, you need to pedal faster!

They’re coming back

The “delta” 20 practices that were removed from CMMC v 1.0 are expected to be included in the upcoming rev 3 of NIST 800-171 (maybe also the maturity processes, and possibly a few more controls from NIST 800-53, from what I’ve heard elsewhere). Ms. Bostjanick stated “Now CMMC is tied to NIST so when that changes, CMMC changes.”

(Of course, the policy and practice document requirements never went away, right? Because you know all about the NFO controls and have already developed these, along with your SSP.)

Did you record a perfect 110 in SPRS?

You are already aware that Medium Assessments are coming, but did you know that organizations that recorded a perfect score of 110 in SPRS are expected to be the first to get that call?

POAMs are for 1-pointers only

Yes, short-term (180 days) POAMs may be allowed for particular contracts, but we have clear guidance now that none of the high-point controls can be on a POAM at the time of official assessment (the one exception being you may be allowed a POAM for the extra two points of FIPS 140-2 validated encryption). POAMs are no longer the DIB’s “get out of jail free card.” And you still must have a minimum score of 90 to be eligible for certification with POAMs, so you can’t have very many of even the 1-pointers.

The CMMC AB is now the CyberAB

The CMMC Accreditation body has rebranded itself the the Cyber AB, with a new website and new logo.

The time to prepare for official assessment is now.

It's important to remember that the CMMC does NOT represent any new security controls! Literally every single control in CMMC L2 has been required of contractors who handle CUI since 2017. The only thing that has changed is the DoD wants you to prove that you are doing what you have been attesting to for five years.

P.S. – Need help? I’m just an email or phone call away!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!

Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass
The Net Effect, LLC
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

TNE. Cybersecurity. Possible.

Speak with an Expert


The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy