CMMC is dead! Long Live CMMC 2.0!

CMMC is dead! Long Live CMMC 2.0! There was a major security-related announcement from the Office of the Under Secretary of Defense for Acquisition and Sustainment of the Department of Defense (DoD) today. The DoD released an overview of its plans moving forward for the CMMC program. The current implementation of CMMC (henceforth known as CMMC 1.0) and rollout of the new DFARS 252.204-7021 clause is going to be suspended while the new rulemaking process for CMMC 2.0 is underway.

The announcement also gave some more details:

  1. CMMC 2.0 will eliminate level 2 and level 4 and focus on level 3 (which will be renamed to level 2).
  2. CMMC 2.0 will no longer include the process maturity requirements and instead will adhere closer to NIST 800-171
  3. CMMC 2.0’s level 3 will now mostly be based on self-attestation/self-assessment, with third party assessments only for certain contracts identified by the DoD
  4. A Plan of Action and Mitigation (POAM) with strict timelines and guidelines will now be a part of the CMMC process
  5. A rulemaking process and public review period will happen before the CMMC 2.0 requirements are applied to DoD contracts

Direct iT wants to take this opportunity to remind those in the Defense Industrial Base (DiB) that NIST 800-171 requirements (including vulnerability assessments, SIEM, incident response, and many more) are still in place for all DoD contracts and that most of these measures are still part of a good information systems management program.

For more information, please refer to the press release by the Department of Defense