In early November 2021, the DoD finally published their updated CMMC standard, CMMC version 2.0. They expanded upon it a bit in a special webinar November 9, 2021. It's a dramatic shift from the version 1.02 standard.
Some of the biggest changes include:
- Cutting the number of levels down from 5 to 3. Roughly speaking, the old level 5 is the new level 3. The old level 3 is the new level 2, and level 1 remained the same. The mostly-useless old levels 2 and 4 are gone. For most of our clients, that means that their new target level is likely 2.
- Eliminating the third-party assessment requirement for all new-level-1 organizations and many new-level-2 organizations. These will be able to self-assess. It is unclear what the criteria will require old-level-3/new-level-2 organizations to be assessed by a third party.
- 100% compliance is no longer immediately required to reach a certification level. I.E. A Plan of Action and Milestones (POAM) WILL be allowed under the new model. Certain controls will still need to be in place and can’t be in POAMs. Current suggestion is that there will be a 180-day grace period if a company is not 100% compliant upon contract award.
- CMMC waivers (as in, complete waiver of all remaining CMMC requirements) can be issued under certain circumstances. There are no details on that process yet, but it’s reserved for short-term exigent needs.
- An additional (unspecified) delay before DoD starts including CMMC requirements in RFPs.
- An additional 9-24 months before CMMC will likely be made a contractual requirement. This part of the provision is vague.
- A reduction in the amount of required policy, procedure, and planning documentation required for new-level-2
- NIST 800-171’s 110 controls are the only requirements for new-level-2, and the 17 controls from old-level-1 carry over to new-level-1. Elimination of the 20 CMMC-unique requirements (the grey controls in the Assessment Excel file in our report) for old-level-3/new-level-2.
- Enhanced but as-yet-unspecified equivalence mapping to other federal standards (i.e. FedRAMP High may let you skip CMMC entirely)
- You will be allowed 180 days after award of a CMMC contract to achieve full CMMC compliance. This is a reversal from the “Pass/Fail with a passing score of 100%” arrangement of CMMC version 1. Certain controls will be exempt from this grace period and will be required immediately.
So what does this mean for you?
- SPRS Score is still a relevant requirement, so there is still an immediate incentive to rapidly improve your organization’s posture. For that reason alone, getting a readiness assessment at old-level-3 prepared you to have an accurate SPRS score.
- The 110 technical requirements of NIST SP 800-171 are still enforced, but the burden of proof for proving your compliance with these requirements has, for the most part, gone from unforgiving and rigorous to self-attestation.
- While the technical requirements are largely the same, the documentation burden is FAR less than it was under CMMC version 1. You are no longer expected to have extensive policies, procedures, or ‘Domain Plans’. This is especially good in the ‘Domain Plan’ arena, since they never definitely established what those were supposed to be.
- You have more time, between 9 and 24 months, before any CMMC requirements are going to be relevant to your bids.
- You will at least be required to have an annual self-assessment. If you will deal with CUI that is considered ‘critical’ then you will need to be assessed by a C3PAO (official third-party assessor) triennially.
- ‘Critical’ CUI is a new category created ex nihilo by DoD and CMMC and currently has no clear definition. Examples given by DoD last night include ‘things like Weapons systems or Control systems’. Less-critical CUI included things such as ‘Uniforms and their specifications’. This vague area is the most critical question that DoD has left unanswered, so it may behoove you to prepare as if you were going to be assessed by a C3PAO.
- Still many vague areas. These are just a few examples: Which new-level-2 organizations will need to have third-party assessments? Will the new requirements still have a phased-in approach like version 1.02? How would you get a waiver from all CMMC requirements? Which requirements will be needed immediately, and which will have the 180-day grace period?
How can Appalachia help?