GjB and Associates reaction based on the links to DoD websites contained in the link below: https://www.defense.gov/News/Releases/Release/Article/2833006/strategic-direction-for-cybersecurity-maturity-model-certification-cmmc-program/ The five levels of CMMC 1.0 have been condensed into three levels. Level 1 “Foundational” appears to consolidate the old Level 1 “Basic” and Level 2 “Intermediate”. It also changes it from a certification based on a third-party assessment to an annual self-assessment. This is HUGE because under CMMC 1.0 it was estimated that 60% of the DIB would require Level 1 Basic and 10% would require Level 2 Intermediate. ~70% of the DIB companies will **not** be required to obtain a triennial third-party assessment but will need to register a self-assessment score annually. Level 2 “Advanced” is the old Level 3. A good change in my opinion. Level 3 “Expert” consolidates the old Level 4 “Proactive” and Level 5 “Advanced.” Another good change. More Detail on the Levels Level 1, the “foundational level,” will include 17 cybersecurity practices and require affected contractors to conduct annual self-assessments, according to a Pentagon website outlining CMMC 2.0. Senior executive will be required to sign off on the self-assessment Level 2, the “advanced” level, will require 110 practices aligned with the National Institute of Standards and Technology Special Publication 800-171, also known as NIST SP 800-171. Triennial third-party assessments for critical national security information Annual self-assessment for selected programs (bifurcation) Limited use of POAMs is expected. A minimal threshold score will be identified in the future by the DoD POAM’s not allowed for highest-weighted requirements POAM’s are now more critical Waivers Only allowed in select mission-critical instances Time-bound – no endless use of POAM’s Requires DoD approval A limited number of waivers will be given Level 2 Bifurcation: Not yet available. Department will determine what qualifies for what. The impact of a compromise on the CUI will be taken under consideration for the determination of bifurcation Level 3, the “expert” level, will include 110 or more practices aligned with NIST SP 800-171. Going Forward/Summary Notably, all companies in the Level 1 category and a subset of companies in Level 2, will be able to conduct self-assessments rather than having to pay for third-party assessments. Other companies in Level 2 will have to undergo triannual third-party assessments, while all companies in Level 3 will have to undergo triannual government-led not CMMC-led assessments. Unlike the old model, CMMC 2.0 will allow for waivers to the cybersecurity requirements “under certain limited circumstances” for “selection mission-critical requirements.” Senior Pentagon leadership will have to sign off on waiver requests. Additionally, the Defense Department plans to specify a baseline number of requirements that must be achieved before contract award but will allow companies to complete the remaining requirements later following a “plan of actions and milestones,” or POAM, that would need to be in place. CMMC 1.0 had no such provisions. The CMMC 2.0 changes will be implemented after the completion of the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement, following a public comment period. If our simplification is close to accurate, it will reduce the annual assessment costs for CMMC across the DIB by well over 50% from the DFARS Case 2019-D041. This puts the onus on vendors requiring Level 1 to perform an accurate self-assessment or risk an audit by DCMA that could result in severe punishment. Whistleblowers are financially incentivized to report those that file false assessments and thusly a possible False Claims Act violation and a potential fine. The Whistleblower could share as much as 1/3 of the fine. This is a very good approach and essentially makes the DFARS 252.204-7019 “Interim Rule” the “Permanent Rule” for most of the DIB. The independent third-party assessments are still required for Levels 2 & 3 and put the emphasis where it belongs. However, there will be a bifurcation of Level 2 and this is yet to be determined and communicated. I believe that the RPO companies in the CMMC ecosystem of practitioners will thrive but there will be far fewer C3PAO companies because there will be fewer vendors that need independent assessment. The CMMC 2.0 approach appears to be much more realistic and cost-effective than the CMMC 1.0 approach. Rulemaking must be completed to implement CMMC 2.0. Rulemaking – Codifying CMMC 2.0 Rulemaking under 32 CFR to establish CMMC program Rulemaking under 48 CFR is required to update the contractual requirement in the DFARS to implement the CMMC 2.0 9-24 months to complete Rulemaking. There will be a 60-day public comment period Contractors are directed by the DoD to complete your 110 requirements and not wait for the Rulemaking to be completed DoD can perform an audit at any time CMMC 1.0 requirements are gone
