CMMC News & Town Hall Updates
CMMC has been evolving since its inception, with the November 2021 reveal of CMMC 2.0 marking the most significant update (these changes can be found HERE). Since the reveal of 2.0, The Cyber AB (formerly the CMMC Accreditation Board (CMMC-AB)) has been holding regular Town Hall meetings to provide updates. In an effort to help navigate these changes and the impact on organizations, we have provided summaries of the meetings below, as well as other valuable and newsworthy updates.
Full Town Hall Updates from the CMMC Accreditation Body can be found HERE.
September 2022
TOWN HALL UPDATE:
The September Town Hall did not offer a considerable amount to report. There was mention of a newer credential for a "Registered Practitioner Advanced" that maps to CMMC Level 2.
IN THE NEWS:
DoD supplier, PreVeil, hosted a webinar titled, "Lessons Learned from the Front Lines of CMMC’s Rollout." During this webinar, they included an assessor/C3PAO and an assessee/OSC to hear directly about their experiences to use it to help others. Early voluntary assessments are being done jointly by the DoD's DIBCAC and C3PAOs, with C3PAOs leading the process. Assessors ask for the relevant documentation and then fill in any gaps with the interview sessions. The interview sessions are heaving on demonstration, not just providing evidence. The assessors can ask for a demonstration of any control. Previously, documentation lead one to believe the OSC got to choose which to demonstrate and which to provide screenshot-style evidence. Most "unmet" findings were slid onto the POAM and the assessment was able to continue. As well, some "unmet" findings could be remediated during the assessment and marked as "met" the next day. At this time, there is still no documentation for the expectation on MSPs or Cloud-service providers. This area is still surrounded by speculation, namely that they may be required to be CMMC Level 2.
August 2022
TOWN HALL UPDATE:
Upon the release of the Draft CMMC Assessment Process (CAP), quality feedback was received during the 30-day ecosystem comment period. An overview of the feedback was shared with feedback broken into categories: Structure, Style, Missing/Insufficient Information, Business Considerations, Conduct Assessment, and Other General Comments. A final category was Policy Feedback, however it was noted much of it is outside The Cyber AB's reach. It was announced there will be a CMMC Ecosystem Summit November 9th, 2022.
July 2022
TOWN HALL UPDATE:
Voluntary assessments are being scheduled with a 22 August start date. C3PAOs will conduct these Joint Surveillance Voluntary Assessments, under DIBCAC's existing authority and the assessments will be DIBCAC High. The CMMC draft rule will allow for these voluntary assessments to convert to CMMC Level 2 Certification. The same evening as this Town Hall, the 1.0 draft version of the CMMC Assessment Process (CAP) was released. The final version will not be ready until next year since the CMMC rulemaking is not complete. At this time, the draft CAP is not endorsed by the DoD and not a controlling document for CMMC assessments. The Cyber AB also opened a 30-day comment period to the ecosystem, available on The Cyber AB website. The Town Hall also recapped the intention of the CAP which is to guide how assessments are conducted in a consistent manner. The DoD will ultimately provide approval and endorsement of the final version.
June 2022
IN THE NEWS:
Recently, PreVeil, a DoD supplier, along with members of the Manufacturing Extension Partnership, hosted a webinar with DoD leaders Stacy Bostjanick (DoD CMMC Program Head) and Dave McKeown (DoD CISO) to review recent updates and timelines. As a CMMC RPO, it is our responsibility to remain up to date with any changes and seek information that may affect our CMMC clients. Toward these efforts, Appalachia Technologies’ RP and Manager of Cybersecurity Services, Andy Warren, attended the PreVeil webinar. You can read the full review HERE.
May 2022
TOWN HALL UPDATE:
The May Town Hall, held in early June, once again did not provide significant updates for Organizations Seeking Certification (OSC). During the Myth/Rumor Control section, it was clarified that C3PAOs are permitted to receive proprietary information from OSCs, however they are not to retain the information unless otherwise allowed by the OSC. The second Myth addressed stemmed from comments received that the CMMC is just a compliance program. It was clarified that the CMMC is a compliance and a conformity standard.
The biggest news of this month's town hall is the announcement that the CMMC-AB has rebranded and is now to be known as The Cyber AB. The primary driver of the rebrand is to support a distinction between the DoD CMMC and the CMMC-AB. Included in the rebranding, along with a new name, are new badges for ecosystem members and a new website with more accessible resources.
April 2022
TOWN HALL UPDATE:
While the April update did not reveal any significant changes, it is worth noting that there was mention that the rule enforcing CMMC will likely be implemented in July 2023. Voluntary assessments are set to begin in August.
There was also an effort to clarify some of the terminologies:
- Certification: Assurance from independent body that a product/service/system meets certain requirements... e.g. C3PAOs will certify DIB Companies
- Accreditation: 3rd party attestation of conformity... e.g. CMMC-AB Accredits C3PAOs.
- Professional Certification: Individual certifications... e.g. CMMC Assessors need to be certified to conduct assessments.
- Registration: Making an official record or names and other info, especially when based on qualifications... e.g. CMMC-AB registers RPs and RPOs.
- Qualification: Specific skill, experience, or knowledge to perform a job or activity.
- Licensed: Having a permit from authority to use something or allow something to happen... e.g. CMMC-AB grants licenses to LPPs and LTPs
- Attestation: Declaring something exists... e.g. C3PAOs attest 3rd party CMMC conformance.
In the second Rumor Control item, Cyber Liability Insurance v Data Breach Insurance was clarified. Cyber Liability Insurance is comprehensive and has first- and third-party coverages. Data Breach Insurance covers only first-party damages for a breach or intrusion. Of note, CMMC requires C3PAOs and RPOs to carry a minimum of $1 million Cyber Liability Insurance.
March 2022
TOWN HALL UPDATE:
During the Myth/Rumor Control section of the Town Hall, they reminded DIB organizations (OSCs - Organizations Seeking Certification) that any questions on CMMC requirements should be directed to RPOs and RPs rather than the CMMC-AB. Also, it was confirmed the proper terminology is "assessment" versus "audit," as recognized by both the DoD and ISO. Organizations are being assessed on whether they follow CMMC standards. Otherwise, this meeting did not offer significant news.
February 2022
TOWN HALL UPDATE:
It was reported that organizations seeking Level 2 certification will now require third-party assessment. It was also stated that the DoD can allow for certain Level 2 contracts to use self-attestation, although this is expected to be infrequent and the exception to the norm. Level 1 organizations will still be able to self-attest. It was also clarified that existing contracts would not be affected retroactively once the Interim Rule is in place. Instead, the CMMC requirements will be for new procurements, contract renewals, and re-competed contracts.