Appalachia Technologies Blog

Appalachia Technologies team is comprised of a diverse mix of IT professionals, some of whom have been on the forefront of IT since the industry’s inception. Through the years, our team has developed a wide array of experience in understanding individual needs and how they relate to your business.

CMMC News & Update - July 2022


In your city or town, you know that stretch of road or highway that feels like it has been under construction for 10 years?  In many ways, the development of CMMC can feel like it too is marked with orange cones and will be underway for years.  From the most significant change of CMMC 1.0 (the OG version) to the November 2021 update to CMMC 2.0, to even the CMMC-AB name change to The Cyber AB, new information seems to keep coming with timelines shifting.  While The Cyber AB holds monthly Town Hall webinars to share updates, the DoD and various vendors are also sharing out information via webinars.  Recently, PreVeil, a DoD supplier, along with members of the Manufacturing Extension Partnership, hosted a webinar with DoD leaders Stacy Bostjanick (DoD CMMC Program Head) and Dave McKeown (DoD CISO) to review recent updates and timelines. 

As a CMMC RPO, it is our responsibility to remain up to date with any changes and seek information that may affect our CMMC clients.  Toward these efforts, Appalachia Technologies’ RP and Manager of Cybersecurity Services, Andy Warren, attended the PreVeil webinar.  In an effort to sort through the information, Andy provided his summary of the presentation and highlighted key details.

*Items in bold are significant or potentially new or clarified information.

- Those who fall under Level 3 (Expert, previously Level 5) will have 24 requirements out of 800-172, 134 total.

- Companies will be allowed to POAM (Plan of Action and Milestones) any controls with SPR (Supplier Performance Risk) score of 1. Companies can POAM the FIPS (Federal Information Processing Standard) requirement (score of 5).

- Program Managers can submit Waiver requests for new and fast-changing companies. *This will be rare.

- Level 1 is for FCI (Federal Contract Information) only, as it always has been.  This will be an annual Self-Assessment.

- Level 2 for non-prioritized Acquisitions will have triennial self-assessments + annual affirmation.  This will be the vast minority of Level 2 organizations.

- Level 2 for prioritized Acquisitions will have C3PAO assess them triennially + annual affirmation.

- Level 3 for highest-priority programs will require triennial government-led assessment and annual affirmation

- Level 3 organizations will need to get Level 2 first.

- Rule being submitted to OMB (Office of Management and Budget) by mid-August.

- It is projected that the Interim Rule will be issued in Mar 2023, with a May 2023 start for CMMC requirements.

- The are planning a phased rollout, but probably different than the original plan.

- Day 1 will not impose CMMC requirements for CUI.

- If OMB doesn't grant interim rule, everything shifts out a full year, i.e. May 2024 beginning for requirements.


During the FAQ section of the webinar, the following was notable:

- POAM will still need to be closed out within the time period set during contract award, otherwise pay will be withheld.

- DoD is not helping with 'small' fraud cases such as CAGE code fraud.

- DoD encourages organizations to do early assessments whenever possible. Those who complete compliance early will get an extra year or two before having to re-up on their certification.

- DoD is working on a plan for specific FedRAMP/CMMC hybrid requirements for MSPs. This is not yet set.

- Responsibility Matrices are very important (i.e. which aspects of CMMC are covered by MSP and which by the OSC (Organization Seeking Certification)).

- DFARS 7012 will continue to apply aside from CMMC, which has an incident reporting requirement as well as the 800-171 requirements.

- CMMC clause will flow down to subcontractors, including international partners. DoD is starting with the Five Eyes nations (US, UK, Australia, Canada, and New Zealand) first.

Our goal is to serve businesses in our community, working to achieve CMMC compliance by providing resources to quickly keep you up-to-date and informed: 

  • CMMC Town Hall Recaps: As a CMMC RPO, we have RPs that attend the monthly hour-long CMMC Town Halls and boil it down to what is notable. The Town Hall recaps can be found HERE
  • Blogs: Our blogs are primarily created by our engineers from their perspective and point of expertise.  We have several blogs that are related to CMMC, including a free SPRS calculator and guidance, and can be found on our website.
  • Additional information and resources on CMMC can be found on this dedicated CMMC page of our website.

 If your organization is in need of a trusted advisor to assist you through the process, reach out to us to setup a call – 888-277-8320 or email at .

The OWASP Top 10: Security Misconfiguration
Social Engineering: A Story About How Breakfast Tr...

News & Updates

P R E S S  R E L E A S E Grantville, PA:  On Wednesday, October 19, Appalachia Technologies will be hosting a free in-person cybersecurity summit at the Hollywood Casino at Penn National Race Course for regional CIOs, CISOs, and IT Security Leaders.

Contact Us

Learn more about what Appalachia Technologies can do for your business.

Appalachia Technologies
5012 Lenker Street
Mechanicsburg, Pennsylvania 17050