Is CMMC Dead? Why should I care?

CMMC 2.0 model The rumblings of CMMC over this past month Department of Defense published the “Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward” document and outlines the CMMC background and way forward based on the Department’s internal review.

These changes include:

  • Narrowing of levels down to 3
  • Changing self-assessment
  • Adding POA&M

Why should I care?

For starters.. the pool of DIB (Defense industrial base) of government contracts requiring third party assessments (C3PAO) just got significantly smaller. Impact on MSP's: that there are potentially fewer contractors looking for our services.

Next, “Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks.” Impact on MSP's: If you are not a certified auditor (C3PAO) then it's likely contractors won't need your assessment prep services.

Lastly (well at the time of this post) the Plan of Actions and Milestones (POA&M): “The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline.Impact on MSP's: If your MSP is not familiar with the POA&M process getting up to speed won't be hard… the hard part will the time enforced action items, meaning that only certain controls will be allowable for POA&M, and each of them will have a time to implement date which will be monitored… seams easy.. with the exception of the contractor have the resources to implement (time and money)

In summary there are still a lot of changes happing, rulemaking will dictate much of this keep an eye on the CMMC website

[cite] some references provided from OUSD Acquisition & Sustainment

Posted in