On Tuesday, November 9th, 2021, the CMMC Accreditation Body (AB) hosted an urgent Town Hall meeting to discuss the newly released CMMC 2.0.
The purpose of this town hall was to provide a deeper look into the DoD and CMMC AB’s strategic plan to implement CMMC 2.0 the right way. Details are subject to change through the rulemaking progress, but it’s nice to see some transparency and discussion stemming from the industry feedback and an internal review process.
Here are some of the highlighted updates:
- CMMC 2.0 should be posted by the end of November, which will provide more guidance around topics such as scoping, which is a critical component that the DIB, as well as DIB supporters, have been waiting for.
- CMMC 2.0 will allow limited use of POA&Ms. The discussion was around the idea of dates to complete POA&M items to be within 180 days after contract award. There will be more details on what this looks like exactly in the future.
- POA&M items will NOT be allowed for the highest weighted requirements within the NIST SP 800-171 DoD Assessment Methodology, which are the 5-point requirements.
- There will be a minimum score required to support the use of a POA&M, but the answer to “what’s too low” was not defined.
- Waivers will only be allowed in mission-critical circumstances, and DoD must approve the waiver package.
- Rulemaking Process: 9-24 months to go through the process. Because of mandatory rule-making obligations, this means the process cannot be expedited.
- DoD will construct the CMMC levels on NIST publications. Changes/modifications will only be done through NIST special publication (SP), which will impact adding or subtracting to the CMMC framework.
- DoD is exploring incentives for contractors who voluntarily obtain CMMC Level 2 certification. More details on this once they are available. This becomes a business decision for the contractor looking for a differentiator in the market, which we’re a fan of!
- DIB participation for CMMC will be voluntary until the formal rulemaking process is complete.
- The DIBCAC/government will assess CMMC 2.0 Level 3 (“Expert” Level) for high-priority programs.
Overall, it was nice to hear these topics being discussed publicly. The focus doesn’t change for DoD contractors who handle Controlled Unclassified Information (CUI), as NIST SP 800-171 needs to be implemented correctly, AND managed.
Organizations within the Defense Industrial Base (DIB) and Defense Supply Chain (DSC) are still responsible for their compliance programs. Accountability will continue to be applied to those being awarded defense contracts, in order to perform and prove they are meeting contract requirements.
If you are looking for the most affordable and practical path to implement NIST SP 800-171, in order to meet the compliance requirements of DFARS 252.204-7012, 7019 and 7020 (and eventually CMMC 2.0), set up a time to talk with one of our cybersecurity and compliance advisors today.
As more information is publicly released, cuick trac™ will continue to provide updates via our website and social media channels such as LinkedIn, Twitter, and Facebook.
Also, make sure to always refer to the Undersecretary of Defense – Acquisition and Sustainment website and the CMMC AB’s website for the most updated and accurate information available.