CMMC News & Town Hall Updates

CMMC has been evolving since its inception, with the November 2021 reveal of CMMC 2.0 marking the most significant update (these changes can be found HERE).  Since the reveal of 2.0, The Cyber AB (formerly the CMMC Accreditation Board (CMMC-AB)) has been holding regular Town Hall meetings to provide updates.  In an effort to help navigate these changes and the impact on organizations, we have provided summaries of the meetings below, as well as other valuable and newsworthy updates.

Full Town Hall Updates from the CMMC Accreditation Body can be found HERE.

 February 2024

 IN THE NEWS:

On February 26, 2024, the period for public comment closed.  Industry groups had requested an extension to the comment period, however the DoD turned down the request.  The Proposed Rule outlines a 4-phase approach for implementation, outlined in the below graphic.  The exact start date for phase 1 remains unknown as there are still several dates that are unknown.  WIth the comment period closed, the DoD must now address the questions submitted during the comment period.  Next, the Office of Information and Regulatory Affairs (OIRA) must complete a review.  They previously received 90 days and may again take the same amount of time.  After OIRA completes their review, it now faces a congressional review, which is a 60 day review.  What makes this part more interesting (and unpredictable) is that the review must be done by the same congress.  The 118th Congress will adjourn in December 2024.  This means if the current congress is to review it, it would need to receive it by mid-October, otherwise it will need to wait until the new congress convenes in January 2025.  And finally, once the rule is published, it does not mean the rule comes into effect immediately.  Instead, an effective date will be established which will likely add more time.  Projections at this point land a "best case scenario" effective date no sooner than Q1 2025.

 

CMMC phases

December 2023

TOWN HALL UPDATE:

The DIB ecosystem got a small Christmas miracle in the waning days of 2023. The CMMC Proposed Rule was published, setting in motion a chain of events that will lead to its eventual adoption. Thankfully, the new rule did not contain much in the way of new content, and the vast majority of the requirements remain the same as they have planned to be since version 2 dropped in 2021.

The real key point of the Proposed Rule is that it suggests an implementation window of the first half of 2025. At that point, Organizations Seeking Certification (OSCs) should already have their CMMC ducks in a row, as well as a spot on the waitlist of a Certified Third-Party Assessment Organization (C3PAO). There remains a scarcity of C3PAOs, and there is sure to be a massive bottleneck once the green light for assessments is lit.

At the end of the day, the message is to be ready well before 2025 and reserve your place in the assessment line as soon as possible. You don’t want to be frantically making calls on Boxing Day 2025 only to find that you organization number 103,502 in line (an actual possibility). 

September 2022

TOWN HALL UPDATE:

The September Town Hall did not offer a considerable amount to report.  There was mention of a newer credential for a "Registered Practitioner Advanced" that maps to CMMC Level 2.

IN THE NEWS:

DoD supplier, PreVeil, hosted a webinar titled, "Lessons Learned from the Front Lines of CMMC’s Rollout."  During this webinar, they included an assessor/C3PAO and an assessee/OSC to hear directly about their experiences to use it to help others.  Early voluntary assessments are being done jointly by the DoD's DIBCAC and C3PAOs, with C3PAOs leading the process.  Assessors ask for the relevant documentation and then fill in any gaps with the interview sessions.  The interview sessions are heaving on demonstration, not just providing evidence.  The assessors can ask for a demonstration of any control.  Previously, documentation lead one to believe the OSC got to choose which to demonstrate and which to provide screenshot-style evidence.  Most "unmet" findings were slid onto the POAM and the assessment was able to continue.  As well, some "unmet" findings could be remediated during the assessment and marked as "met" the next day.  At this time, there is still no documentation for the expectation on MSPs or Cloud-service providers.  This area is still surrounded by speculation, namely that they may be required to be CMMC Level 2.  

August 2022

TOWN HALL UPDATE:

Upon the release of the Draft CMMC Assessment Process (CAP), quality feedback was received during the 30-day ecosystem comment period.  An overview of the feedback was shared with feedback broken into categories: Structure, Style, Missing/Insufficient Information, Business Considerations, Conduct Assessment, and Other General Comments.  A final category was Policy Feedback, however it was noted much of it is outside The Cyber AB's reach.  It was announced there will be a CMMC Ecosystem Summit November 9th, 2022.

July 2022

TOWN HALL UPDATE:

Voluntary assessments are being scheduled with a 22 August start date.  C3PAOs will conduct these Joint Surveillance Voluntary Assessments, under DIBCAC's existing authority and the assessments will be DIBCAC High.  The CMMC draft rule will allow for these voluntary assessments to convert to CMMC Level 2 Certification.  The same evening as this Town Hall, the 1.0 draft version of the CMMC Assessment Process (CAP) was released.  The final version will not be ready until next year since the CMMC rulemaking is not complete.  At this time, the draft CAP is not endorsed by the DoD and not a controlling document for CMMC assessments.  The Cyber AB also opened a 30-day comment period to the ecosystem, available on The Cyber AB website.  The Town Hall also recapped the intention of the CAP which is to guide how assessments are conducted in a consistent manner.  The DoD will ultimately provide approval and endorsement of the final version.

June 2022

IN THE NEWS:

Recently, PreVeil, a DoD supplier, along with members of the Manufacturing Extension Partnership, hosted a webinar with DoD leaders Stacy Bostjanick (DoD CMMC Program Head) and Dave McKeown (DoD CISO) to review recent updates and timelines. As a CMMC RPO, it is our responsibility to remain up to date with any changes and seek information that may affect our CMMC clients.  Toward these efforts, Appalachia Technologies’ RP and Manager of Cybersecurity Services, Andy Warren, attended the PreVeil webinar.  You can read the full review HERE.

May 2022

TOWN HALL UPDATE:

The May Town Hall, held in early June, once again did not provide significant updates for Organizations Seeking Certification (OSC).  During the Myth/Rumor Control section, it was clarified that C3PAOs are permitted to receive proprietary information from OSCs, however they are not to retain the information unless otherwise allowed by the OSC.  The second Myth addressed stemmed from comments received that the CMMC is just a compliance program.  It was clarified that the CMMC is a compliance and a conformity standard.

The biggest news of this month's town hall is the announcement that the CMMC-AB has rebranded and is now to be known as The Cyber AB.  The primary driver of the rebrand is to support a distinction between the DoD CMMC and the CMMC-AB.  Included in the rebranding, along with a new name, are new badges for ecosystem members and a new website with more accessible resources.  

April 2022

TOWN HALL UPDATE:

While the April update did not reveal any significant changes, it is worth noting that there was mention that the rule enforcing CMMC will likely be implemented in July 2023.  Voluntary assessments are set to begin in August.

There was also an effort to clarify some of the terminologies:

  • Certification: Assurance from independent body that a product/service/system meets certain requirements... e.g. C3PAOs will certify DIB Companies
  • Accreditation: 3rd party attestation of conformity... e.g. CMMC-AB Accredits C3PAOs.
  • Professional Certification: Individual certifications... e.g. CMMC Assessors need to be certified to conduct assessments.
  • Registration: Making an official record or names and other info, especially when based on qualifications... e.g. CMMC-AB registers RPs and RPOs.
  • Qualification: Specific skill, experience, or knowledge to perform a job or activity.
  • Licensed: Having a permit from authority to use something or allow something to happen... e.g. CMMC-AB grants licenses to LPPs and LTPs
  • Attestation: Declaring something exists... e.g. C3PAOs attest 3rd party CMMC conformance.

In the second Rumor Control item, Cyber Liability Insurance v Data Breach Insurance was clarified. Cyber Liability Insurance is comprehensive and has first- and third-party coverages.  Data Breach Insurance covers only first-party damages for a breach or intrusion.  Of note, CMMC requires C3PAOs and RPOs to carry a minimum of $1 million Cyber Liability Insurance.

March 2022

TOWN HALL UPDATE:

During the Myth/Rumor Control section of the Town Hall, they reminded DIB organizations (OSCs - Organizations Seeking Certification) that any questions on CMMC requirements should be directed to RPOs and RPs rather than the CMMC-AB.  Also, it was confirmed the proper terminology is "assessment" versus "audit," as recognized by both the DoD and ISO.  Organizations are being assessed on whether they follow CMMC standards.  Otherwise, this meeting did not offer significant news.

February 2022

TOWN HALL UPDATE:

It was reported that organizations seeking Level 2 certification will now require third-party assessment.  It was also stated that the DoD can allow for certain Level 2 contracts to use self-attestation, although this is expected to be infrequent and the exception to the norm.   Level 1 organizations will still be able to self-attest.  It was also clarified that existing contracts would not be affected retroactively once the Interim Rule is in place.  Instead, the CMMC requirements will be for new procurements, contract renewals, and re-competed contracts.    

News & Updates

Press Release Mechanicsburg, PA, February 15, 2024 — Appalachia Technologies, announced today that CRN®, a brand of The Channel Company, has named Appalachia Technologies to its Managed Service Provider (MSP) 500 list in the Pioneer 250 category for 2024.

Contact Us

Learn more about what Appalachia Technologies can do for your business.

Appalachia Technologies
5012 Lenker Street
Mechanicsburg, Pennsylvania 17050