Summary of Recent Change from CMMC 1.0 To CMMC 2.0

Summary Of CMMC-Accreditation Board Webinar On November 18, 2021 Regarding Recent Change From CMMC 1.0 To CMMC 2.0

The CMMC-AB hosted a webinar to discuss the changes the DoD announced to the CMMC program. Chairman Matt Travis and Vice Chairman Jeff Dalton opened the meeting and presented the attached charts. 

The Facts:

  • On November 4th, 2021, the DoD announced changes to the CMMC certification program to make it easier for smaller defense contractors to obtain certification and bid on defense contracts.
  • The changes will not be codified for another 9 to 24 months but are proposed as follows:
    • 3 certification levels instead of 5 (Foundation, Advanced, and Expert)
    • Elimination of maturity processes… no longer a need for written policies, procedures, and resource plans for each security practice
    • For the new Foundation Level (Level 1), the same 17 practices as previous Maturity Level 1 but allow for self-assessment provided a senior exec attests to compliance of these controls. This level is primarily for organizations that only handle FCI, and not sensitive CUI. Self-assessment must be done annually.
    • For the new Advanced Level (Level 2), the 110 controls of NIST 800 171 are required, and there are two sub-levels
      • Lower priority Level 2 contracts (not involving prioritized CUI) will require self-assessment per Level 1 above, annually.
      • Higher priority Level 2 contract (involving prioritized CUI) will require assessment by a C3PAO every three years.
    • For the highest priority programs, the new Expert (Level 3) will be required, which involves the 110 plus security controls of NIST 800 172. Assessment will be government-led and will be required every three years.
    • Waivers and POAM’s will be allowed on a limited basis. When granted, waivers will be on a contract basis, not a control basis. POAM’s, when granted, will be allowed for a limited time to correct practices needed for compliance.
    • CMMC certification is no longer required for the initial 15 DoD pilot contracts being awarded in 2021.
    • CMMC certification is not required until CMMC 2.0 is codified and implemented.
    • Flow-down rules still apply… the certification level required will be dictated by the sensitivity of the information flowing down to the contractor from their prime or from the DoD.
  • Additional information about CMMC 2.0 will be released on November 30, 2021.

Opinions and Observations:

  • CMMC 2.0, as defined currently, is a subset of CMMC 1.0 and will be much easier for smaller companies to become compliant.
  • Even the mid-sized and larger companies will find it easier now that the maturity provisions have been lifted.
  • The DoD is making an important distinction here about FCI, Federal Contract Information, and CUI, Controlled Unclassified Information. FCI is less sensitive, so the DoD is reducing the certification and assessment requirements for companies that only handle FCI.
  • Chairman Travis and Vice-Chair Dalton were adamant in stating that the CMMC certification journey is not just about obtaining the certificate, it’s about the transformation… the improvement of cyber security defense maturity to protect vital data from attacks, both domestic and international. 
  • There appears to be a rising amount of resentment among organizations and people who have paid the CMMC-AB to become certified as Registered Practitioners, other CMMC professionals, and C3PAO’s and haven’t seen much business as a result. 
  • The 2.0 changes are making this rift worse.
  • The argument that many RP’s and C3PAO’s are making is that the addressable market is now considerably less (more organizations are allowed to self-assess, rather than pay an RP or a C3PAO), and the deferment in requiring CMMC certification on DoD contracts causes delays in their expected assessment and consulting support revenue. 
  • The CMMC-AB counterargument is that even if the addressable market has shrunk from 300,000 defense contractors to less than 80,000 that will require the services of an RP or C3PAO, that is still a large addressable market. Those organizations that are allowed to self-assess are not required to hire an RP or C3PAO, but are welcome to do so to ensure their defense revenue streams are not interrupted by submission irregularities.
  • During the one-hour webinar, 281 questions were raised in chat. The presenters tried to answer as many as possible but were only able to address a small percentage of questions.
  • The sheer volume of questions raised highlights the need for both the CMMC-AB and the DoD to communicate more effectively on these changes and the impact they are having on all parties involved.