Updated: February 16, 2022.
Original post: November 4, 2021.
Big changes are coming to Cybersecurity Maturity Model Certification (CMMC), but there is little impact in the short term to the path forward for DoD contractors.
This post is my personal interpretation and opinion on information released from official sources about CMMC 2.0. This should not be construed as legal or contractual advice. No warranties are expressed or implied.
Overall Recommendation to DoD Contractors
Stay the course to raise your SPRS Score and prepare for audit as early as 2024. More detailed recommendations below.
CMMC 2.0 Explained
- The DFARS Interim Rule (DFARS 252.204-7012/7019/7020/7021) is still in effect, with the exception that CMMC Pilot programs have been suspended. Click here for more information on the DFARS Interim Rule.
- CMMC 2.0 is not yet in effect. It will not be required until a rule is published in the Federal Register that states the effective date it can go into contracts. DoD OUSD(A&S) estimates the rulemaking process could be finished anytime between August 2022 and November 2023.
- CMMC 2.0 may change significantly by the time the rules are published. Responsibility for the CMMC program has moved to the DoD Chief Information Officer (CIO) from DoD Acquisition & Sustainment (OUSD A&S). This means more changes are likely to come.
- UPDATE 2/2022: CMMC Audits will be required for all DoD contractors processing Controlled Unclassified Information (CUI). The audits will be conducted by CMMC Third-Party Assessment Organizations (C3PAO). This is according to the DoD Deputy CIO and overrides prior information from OUSD(A&S) about “bifurcation” that would have only required audits for DoD contractors processing the most sensitive data.
- CMMC 1.0 Level 3 is replaced by CMMC 2.0 Level 2. It will only require controls/practices "aligned with" the 110 NIST SP 800-171 controls instead of the 130 CMMC 1.0 Level 3 controls/practices and 49 Maturity Level processes.
- CMMC 1.0 Levels 4-5 are replaced by CMMC 2.0 Level 3. It will require unspecified controls/practices "based on" NIST SP 800-172 in addition to the 110 controls/practices "aligned with" NIST SP 800-171.
- Plans of Action & Milestones (POA&M) will be permitted; however, deficient controls must be "time-bound" and "enforceable". There will also be a waiver process that is "selective" and "time-bound".
Detailed Recommendations to Contractors