Tentative Conclusions About CMMC 2.0 From a Small Business Focused MSP/MSSP

The DoD’s announcement of CMMC 2.0 has the defense industrial base buzzing with questions. For some smaller parts manufacturers or service providers who work directly or indirectly for the department of defense, shifting standards and unclear deadlines are making it hard to prioritize investing in CMMC compliance. There’s still a lot of “TBD/TBA” details to follow, however at the Direct iT Compliance Team we have come to some tentative conclusions about what CMMC 2.0 really means for small prime and subcontractors:

  • NIST 800-171 is a better thought out and more developed standard than CMMC 1.0; NIST 800-171 also has much better existing resources and a clearer path to more widespread adoption outside the DoD. NIST 800-171 is currently the best candidate for a government-wide FAR CUI standard.
  • The estimated 9-24 months for the rulemaking process doesn’t leave a lot of clarity about when contractors will really need assessments
  • The idea that some contracts requiring CMMC 2.0 level 2 will still allow self-assessments (details TBD) seems to allow for a slow ramp-up on third party assessments even after rulemaking is complete
  • The DFARS 252.204-7020/7019 clause now will be the interim contract requirement until rulemaking is complete, which means contractors are still required to fully comply with NIST 800-171 but with self-assessments and self-attestations and in a few cases DIBCAC assessments
  • The CMMC-AB ecosystem of professionals, C3PAOs, assessors, instructors, and approved learning materials will continue developing largely on schedule although additional government oversight of CMMC-AB may come when rulemaking is complete.
  • This means that the February rollout of the final / non-provisional CCP certifications should potentially happen on schedule but that NIST 800-171A is now the assessment manual