CMMC 2.0 is Coming – In a Year or Two

November 8, 2021 CyberCecurity Leave a comment

CMMC just became more complicated or more simple.

The feds published an advance notice of proposed rulemaking (ANPR) for CMMC 2.0 and then just as quickly, unpublished it. The Federal Register, the place where official notices are published only said that they asked for it to be unpublished.

So people saw the ANPR for about 18 hours and here is what they saw:

CMMC Levels 2 and 4 would be removed. Since DoD already said they don’t plan to use them, that is not a big deal.
CMMC Level 1 would be a self assessment. Whether this is important depends on the consequences of lying. After all, the current 800-171 is pretty much a self assessment and we have seen how well that worked. 80% of the companies DoD assessed for 800-171 compliance failed.
The process maturity sections of CMMC would go away. This is a big loss because without process maturity you really haven’t integrated security into the culture.

There seems to be a big disconnect between what is CUI and what is not. I was involved in a long conversation today where the customer of a three letter agency was saying, in their contract, that the names and personal information of contractor employees was CUI. If the names of your employees working on a contract is CUI, then holy cow, what else is CUI. This is a big unknown right now.

For now all assessments and certifications are on hold.

It also means that all of the companies in the CMMC ecosystem, from trainers to certifiers, are wondering about their investments. Some invested a lot of money.

On the other hand, DFARS 252.204-7012 and its underlying requirements of NIST SP 800-171, which is about 80% of CMMC version 1, Level 3, is still there and does not appear to be going away. If DoD follows through with what they said for a few hours is their plan then NIST SP 800-171 is going to be 90+% of CMMC.

Was the release of CMMC 2.0 a mistake? A trial balloon? Intentional sabotage? No one is saying.

Personally, I think it was a trial balloon, but who knows.

Reports are that it will take the feds at least a year from now to develop the regulations behind CMMC 2.0 and that assumes that it doesn’t change from what was leaked. Of course, that is just a rumor. For all we know it could drop next week.

What we do know is the pilot program is suspended and contract requirements are being removed.

It is our recommendation that customers who are not fully compliant with 800-171, which your contract says that are currently certifying that you are, need to continue working towards becoming fully compliant. The DoJ announced two weeks ago that they intend to prosecute folks who are lying about that. How aggressive that is going to be is unknown. What is known that the feds currently make around $5 billion a year from these prosecutions. Great revenue stream. And, whistle blowers can get up to 30 percent of that. That means that unhappy ex-employees, vendors, competitors and others might stand to make a nice payday at your expense.

WE ALSO DON’T KNOW IF THIS IS REALLY CMMC 2.0 OR MERELY A POSSIBLE SUGGESTION OF WHAT’S NEXT.

Here is what other people are saying.

JDSupra says that the Pentagon is suspending the pilot and the DoD is evaluating how it could “provide incentives” to companies that voluntarily get certified in the interim. That is a different twist. Do it now and we pay for it, do it later and you pay for it? Interesting.

They also say the self certification is for “some circumstances”. What does in some circumstances mean?

Finally, they say that the new level 2 would be split into prioritized programs which will require third party certification and other programs which will require annual attestations by corporate officers, similar, I am guessing, to Sarbanes Oxley. People who lie there could be prosecuted, jailed or debarred.

They are also saying that it is possible that there may be a waiver process for some particular controls.

A lot of unknowns.

The Pentagon has some very high level stuff at the Office Of Acquisition and Sustainment’s website, even though it is rumored that they will be losing management responsibilities of the program. It may be moving over the the DoD CIO, but that is currently a rumor. What is a fact is that A&S has not done a great job over the last year. They say that the Pentagon wants to simplify things for small businesses, which is good, while protecting the national security, which is hard.

In the meantime, the Chinese, Russians, North Koreans and others continue to rob us blind.

Is everything clear?

Good!