Last Updated on June 27, 2022
The US Department of Defense (DoD) has recently clarified the CMMC 2.0 rollout schedule and announced a number of other program details.
John Verry, Pivot Point Security CISO and Managing Partner, shares a concise briefing on the official news and more on a recent episode of The Virtual CISO Podcast.
Rollout schedule update
According to Stacy Bostjanick, the DoD’s Director, CMMC Policy, the person effectively in charge of the CMMC program, the federal rulemaking process around CMMC 2.0 will be complete by March 2023. This opens the door to include CMMC 2.0 language in DoD contracts, which the DoD will begin doing 60 days later, in May 2023.
Contract award details
Say May 2023 rolls around and your business does not yet have a CMMC 2.0 Level 2 certification. Can you still be awarded a contract?
Yes, but only provisionally. As a starting point, you need to have an up-to-date score posted in the DoD’s SPRS database. As of now, you’ll also need an attestation from a senior company official that your score is accurate. Though the expectation is that eventually all contracts involving CUI will require a full assessment by a C3PAO.
From there, you’ll have a 180-day grace period to get your CMMC 2.0 Level 2 certification—a very tight timeline that definitely puts contracts at risk.
Certification with POAMS
Another key clarification is that it will be possible to achieve CMMC 2.0 Level 2 certification with a limited number of Plans of Action & Milestones (POAMs) still in place.
However, these POAMs cannot relate to “high importance” controls like encryption or multifactor authentication. Only minor controls (e.g., those scoring 1, 2 or possibly 3 points in the SPRS database) can be “under construction” at the time of your assessment.
The “cure period” to resolve your POAMs is 180 days.
3-year certification cycle
The DoD has also reiterated that a CMMC 2.0 certification is expected to be valid for three years. But instead of having surveillance audits in years two and three, certified firms will need to submit an “affirmation from a senior company official” that they are still in compliance.
This is similar to how Sarbanes-Oxley works, with management sign-off on the controls over financial reporting. And, as with SOX, some form of assessment, documentation or other evidence would need to be the basis for this executive affirmation.
CMMC V2 Level 3 news
CMMC V2 has three levels. Level 1 is for “FCI only” contractors, and Level 2 is for those handling controlled unclassified information (CUI).
Level 3 will include all the Level 2 controls plus a still unspecified subset of the 35 controls described in NIST 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.
For orgs seeking a CMMC Level 3 certification, the DoD has clarified that the assessment process will have two phases:
- First, you will need to pass a CMMC Level 2 certification assessment conducted by a C3PAO.
- Next, a Defense Contract Management Agency (DIBCAC) audit team will perform a CMMC Level 3 assessment.
Early adopter program approved
Despite concerns about delays, the CMMC early adopter program now has official approval and is rolling forward. So, early adopter organizations that have passed their assessments can being stating that they are certified to the current CMMC version.
The DoD’s expectation is that they will need to certify 4,000 assessors to meet assessment demands in 2023. By 2024, the hope is that 8,000 assessors will be ready to meet the growing demand.
How many organizations will need a CMMC Level 2 certification? The current estimate is about 80,000.
To hear John Verry’s complete CMMC update briefing, click here.
Looking for more CMMC 2.0 guidance? Check out this recent podcast episode with CMMC experts Kyle Lai and Caleb Leidy: EP#82 – Kyle Lai & Caleb Leidy – Ongoing Challenges in CMMC