Game Changing CMMC News
Today, a report that the Department of Defense commissioned on the Review of CMMC was released. THERE ARE SO MANY THNGS THAT HAVE BEEN ROLLED BACK… READ CAREFULLY!!! There were many GAME CHANGING statements that I will share with you. Please review yourself at https://www.acq.osd.mil/cmmc/about-us.html and https://www.acq.osd.mil/cmmc/implementation.html#impHero.
Here are my “take-always”, based on my reading of this document:
- The New CMMC 2.0 Framework will have to be sent out for public review and accepted and is on hold until that action is completed. All CMMC efforts, including the provisional assessments, are on hold until that time.
- Until the Title 32 CR and Title 48 CFR rulemaking processes can be finalized, the DoD is discontinuing efforts to pilot this program and will not have CMMC language appear in contracts until full adoption is complete. Meaning you will still need to do DFARS. (Estimated 9-12 months before this is law)
- The additional 20 CMMC level 3 controls that were added onto DFARS and NIST 800-171 are going away.
- Level 2 and Level 4 maturity categories are eliminated. And now there is level 1-3 level 2 is now the old level 3 where CUI will be released
- CMMC Level 1 audit can now be a self-assessment and not a third-party assessment.
- For CMMC Level 2 (old Level 3) there will now be a split in the road: Certain “non- prioritized” acquisitions/data will be able to be self-assessed and attestations given. “Prioritized” Acquisitions/ data will need to have a third-party assessment of just those assets. We are waiting to see what this looks like and what will define these two categories.
- CMMC Level 3 (old Level 5) requirements are still under development.
- POA&Ms are now allowed in specific cases. Which they will further outline later!!! But with reasonable and enforceable timelines. - Some items will not be allowed to be on a POA&M - TBA
- Waivers may be granted on select bases to exempt a contractor from all CMMC requirements due to mission critical components. That process is still under development
- Still waiting on Auditors’ guidebook to be released.
- There will be a minimum score report to support the ability to have a POA&M – TBA
- “DoD is exploring opportunities to provide incentives for contractor who voluntarily obtain CMMC level certification” – I hope it is financial in nature
- Just do DFARS and NIST 800-171.
- Self-assessments will be fine for level 1 and in some level 3 cases, (yet to be defined), but some contracts will require third-party assessments on Prioritizes assets.
- POA&Ms are now allowed with Timelines. SOME CONTROLS ARE NONNEGOTIABLE
- CMMC language will not be in contracts until the rule change. ( 9-12 months)