CMMC 2.0: Pumping the Brakes, or Hitting the Gas?

Posted by: Tony Farinaro February 23, 2022 CMMC, Compliance, Cybersecurity

Whew!  The Department of Defense (DoD) just handed you a reprieve.  Accompanying its release of the Cybersecurity Maturity Model Certification (CMMC) version 2.0 in November 2021, the DoD announced it would not include a CMMC compliance requirement in any new contract solicitations or renewals until the completion of a formal rulemaking process.  That process likely will take between 9 and 24 months.

So, now you’ve got some time before you need to embark on your CMMC compliance journey, right?  After all, it seems like the DoD just kicked the CMMC can down the road for another 2 years.  But hold on a second.  Upon closer examination, the DoD’s CMMC retrench may very well mean you’ll need to account for CMMC sooner than you would have under the former plan.

Prior to the launch of CMMC 2.0, the DoD anticipated a 5-year rollout for the framework, beginning in government fiscal year 2021 and running through government fiscal year 2025.  On that timeline, all new contract solicitations and renewals would incorporate CMMC by October 2025.  However, the rollout wasn’t linear, but back-loaded.  In other words, most companies in the Defense Industrial Base (DIB) wouldn’t have been impacted by CMMC until 2024 or 2025.

Under the new plan, CMMC goes into effect as soon as the rulemaking process for CMMC 2.0 ends, which will be no later than November 2023.  In other words, you’ve almost certainly got less time to get ready for CMMC than you did before!

You might be breathing easier because you know that CMMC 2.0 has eliminated process requirements entirely and scaled down the number of practice requirements for compliance.  And you understand that a significant percentage of the DIB will no longer be subject to a third-party audit, but rather can self-attest their compliance.  Again, feels like things just got easier.  Not so fast.

With the adjustments the DoD made to the CMMC framework to address feedback from the DIB and better accommodate small and mid-sized businesses, expectations – and consequences – have risen.  Come November 2023, there will be no excuses for failure.  Here’s why:

  • CMMC 2.0 maturity levels 1 and 2 directly align with the NIST 800-171 standard.
  • Any member of the DIB that stores, handles, or processes controlled unclassified information (CUI) has been subject to Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 for the past several years. DFARS 7012 incorporates NIST 800-171 and its 110 security controls.  Companies must submit System Security Plans, along with Plans of Actions and Milestones (POA&Ms) to account for any of the 110 controls they don’t currently meet.  These firms already should be fully-compliant, or have a solid plan to get there.
  • In September 2020, the DoD issued an Interim Rule that added DFARS clauses 252.204-7019 and 252.204-7020. DFARS 7019 and 7020 require members of the DIB to self-assess against 800-171’s 110 controls, calculate their scores, report their scores on the DoD’s Supplier Performance Risk System, and indicate when they will achieve the maximum score of 110 if they aren’t already there.

In summary, CMMC 2.0 maturity levels 1 and 2, which will apply to the overwhelming majority of the DIB, present no surprises.  From the DoD’s perspective, if you handle CUI, you should already be fully-compliant with 800-171.  If not, you should know precisely where your gaps lie, have a POA&M to address them, and a completion date – well ahead of November 2023.

You also may have heard CMMC 2.0 offers a bit of wiggle room, because it allows for POA&Ms.  That’s true, but some of 800-171’s 110 controls will not be eligible for inclusion in a POA&M.  In addition, POA&Ms will be subject to a short leash, likely 180 days maximum.

Perhaps you’re comforted by the fact that your company will be able to self-assess and self-attest, rather than undergo a third-party audit.  Keep in mind that the DoD intends to be far more aggressive validating self-assessments and reported scores through audits of its own.  Discrepancies can lead to significant consequences for your company under the False Claims Act.  And because corporate executives must confirm the accuracy of the reporting, they may face personal liability as well.  The expectations indeed are high, and so are the stakes.

With CMMC 2.0, the DoD hasn’t pumped the brakes; they’ve hit the gas.  And you should, too.  Successfully implementing the 110 security controls of NIST 800-171 takes time and expertise.  Best case, you’ve got until November 2023 to be ready; perhaps sooner.  Time flies – you need to get moving, now.

We’re here to help. Exostar provides easy-to-use tools that can get you started on a faster track to NIST 800-171 compliance, including policy creation, regulatory guidance, SPRS score generation, and DoD Basic Assessment reporting.  Try them out for free.