Bill Wootton is the founder and president of C3 Integrated Solutions, a full-service IT provider based in Arlington, Virginia, that specializes in securing the nation’s Defense Industrial Base through cloud-based solutions and industry leading partners.
Late last week, the DoD announced CMMC 2.0. This revision is the result a six-month review of the program that was partially driven by the change in administrations, requests by Congress and industry feedback. Here are the highlights of the changes:
- Levels 2 and 4 have been eliminated, as have any CMMC-unique practices and all maturity processes from the CMMC Model;
- CMMC Level 1 now permits annual self-assessments with an annual affirmation by DIB company leadership;
- CMMC Level 3 requirements are bifurcated into two categories: prioritized acquisitions which require independent assessment, and non-prioritized acquisitions which require annual self-assessment and annual company affirmation;
- CMMC Level 5 requirements are still under development;
- Each of the levels have been renamed to remove the numbers 1-5 and replaced with 1-3 and renamed “Foundational”, “Advanced”, and “Expert”;
- Development of a time-bound and enforceable Plan of Action and Milestone process is permitted;
- Development of a selective, time-bound waiver process, if needed and approved is now available.
This news is very fresh and there is still a tremendous amount of processing and discussion in the industry relative to what this all means. We’ve combed through the document and outlined a few of our initial thoughts.
General Impressions
The reasons for CMMC are still very much valid and the concepts around the programs are both justified and very much needed. The Russians, Chinese and everyone else are still siphoning American intellectual property and planning to use it against us. However, as the industry began to dive into CMMC, it soon found that the maturity requirements were overly burdensome, especially for small businesses. Eliminating the maturity processes relieves much of the pressure and costs for contractors.
Consolidating the levels is practical move. DoD had openly stated that practically speaking, Level 2 was useless and further, no one seemed to know what Level 4 was going to do. That said, in our opinion, CMMC 2.0’s solution of bifurcating the new Level 2 so that only some people will need an assessment is a serious misstep. Clarity and predictability are critical to the success of this program and having two paths for Level 2 contracts will only lead to confusion. I hope we’ll either get a course correction or at least some clarification on this item.
Overall, there was a clear need to scale back the program – the costs associated with many of the maturity processes threatened the very livelihood of the small businesses they were intended to protect. However, I personally believe they went a little too far: we have five years of data that shows the self-attestation model of DFARS 7012 was ineffective. This revision is in danger of taking us backward a little too much.
From a market outlook, there will be a lot of confusion, a lot of opinions, and a fair amount of uncertainty over the next 6-12 months. We’ve been watching CMMC for a while and knew that course corrections would be inevitable, and we’re pretty sure this is not the last time it will occur.
What Will it Mean for Defense Contractors?
From our perspective, the news is positive as there will be significant cost relief. Here’s our perspective on what it means for you:
Breathe a Sigh of Relief: Documentation and maturity requirements were literally adding hundreds of thousands of dollars to the cost of implementing CMMC. Eliminating these processes should lower cost and actually expedite compliance. This is great news for companies of all sizes, but especially our small business base.
…and Keep Breathing: This is just one more step in a long journey. There will be public comments, assessing guidelines developed, and more than likely some course correction.
Don’t Sleep on the Threat: As we said before, the Russians, Chinese, and all the other bad actors out there haven’t packed up their keyboards and gone home. The threats remain, and make no mistake: your company is a target.
Stay the Course: NIST 800-171 was always at the core of CMMC. The technologies and capabilities required to meet that standard haven’t changed. While it makes sense to review and update your strategy, there should be only minor adjustments in technology investment.
Embrace the GovCloud: DFARS 7012 is still in effect. This is the rule that pushes clients into Microsoft GCC and GCC High to meet compliance with clauses (c) through (g) in 7012. Thus far DFARS 7012 has not waivered on this requirement, and unlike CMMC, 7012 is a current requirement.
Export Controls Haven’t Changed: Data sovereignty requirements were always separate from CMMC and remain unchanged. ITAR, NOFORN, Nuclear etc., still require data sovereignty and still mean GCC High.
Our Outlook
The industry will have varying opinions on the detail of these changes, but the bottom line is this is good news. The stagnation of CMMC was creating a ton of frustration and slowing progress. The release of CMMC 2.0 provides everyone with both some guidance and a path forward.
As we mentioned above, we all need to keep breathing…because this is still just getting started. The release of CMMC 2.0 is a big change and there will be a lot of continued discussions and probably some adjustments. About the only truth right now is there will be a lot of opinions and just about all of them won’t be based on actual inside information (including this author). That said, C3 has been tracking DFARS, NIST, and CMMC for years, we’ve been operating in an environment long guided by NIST 800-171 and we have hundreds of defense contracting clients who we’re helping navigate all of this in real time. Bottom line: our insights continue to be on the mark with CMMC, we’ll continue to watch and analyze its evolution, and we’ll continue to help you understand what it means for your business.
CMMC was, and is, all about securing our defense industrial base from cyber-threats. Real investment is required to meet this challenge. It’s important to evaluate your overall strategy in light of these changes and adjust accordingly. It’s equally important to resist the urge to abandon that strategy in order to save a few pennies or the effort that required. The threats will remain, the regulatory environment will continue to adjust and its up to you to make sure your business is ready for it all. No matter where you are on your journey to compliance, C3 can help. Contact us at info@c3isit.com to get the conversation started.
This article was originally published on C3 Integrated Solutions’ blog.