7 Questions and Answers on CMMC 2.0

by Orlee Berlove on December 9, 2021

The Department of Defense’s (DoD) recent shift to CMMC 2.0 has left many contractors trying to understand how the changes will impact their organization’s NIST SP 800-171 compliance needs and audit requirements. This blog addresses takes 7 of the 100+ questions submitted to PreVeil.

Our goal is to help defense contractors better understand how to prepare their organization and get started on with their NIST SP 800-171 compliance journey now and prepare for CMMC 2.0 later.

Question no. 1: What are the major differences between CMMC 1.0 and 2.0?

Answer: The DoD’s CMMC 2.0 program streamlines the original CMMC framework with a focus on lowering costs and simplifying the program. Key changes include:

Lowering the number of CMMC levels from five to three
Dropping maturity requirements
Aligning requirements for the new Level 2 (Advanced) certification with NIST 800-171’s 110 controls (by eliminating the 20 controls that had been added to Level 3 of the original model)
Permitting some defense contractors to self-attest to compliance with executive signoff
Allowing time-limited POAMs for some low-risk security controls
Ensuring Level 3 (Expert) will be based on a subset of NIST SP 800-172

Question no. 2: The DoD has stated that POAMs will not be permitted for some security controls under CMMC 2.0. Which controls can we expect that POAMs won’t be allowed for?

Answer: According to the DoD, POAMs will not be permitted for a “small subset of the highest-weighted security requirements,” although DoD has not yet identified those controls. The DoD’s current self-assessment methodology for NIST SP 800-171 gives each of the 110 controls a weight of 1, 3 or 5 points. Many CMMC experts outside the DoD expect that the highest-weighted security requirements will be the controls that are assigned 5 points.

For example, Access Control 3.1.13 requires organizations ensure that remote access sessions are encrypted. This control has a weight of 5 and most likely cannot be met with a POAM.

However, Access Control 3.1.11, which requires automatically terminating a user’s session after a defined period of inactivity, has an SPRS weight of 1 and so a POAM would most likely would be permitted for this control.

Question no. 3: I’ve heard that defense contractors will have 180 days to close POAMs for a contract under CMMC 2.0. When does the clock start on those 180 days?

Answer: There has been much discussion on when this 180-day time limit will begin. To the best of our understanding, the 180-day POAM clock will start upon award of a contract, either by DoD to a prime or by a contractor to a subcontractor.

Question no. 4: How will bifurcation of Level 2 (Advanced) contracts work?

Answer: The new CMMC Level 2 will bifurcate contracts into two categories: prioritized and non-prioritized acquisitions. Companies handling CUI for prioritized contracts CUI will be required to undergo a third-party assessment from a certified third-party assessing organization once every three years. Companies managing non-prioritized CUI will be permitted to perform a self-assessment. Contractors will need to conduct these self-assessments on an annual basis.

The DoD’s examples of contracts to illustrate the Level 2 path to self-assessment are designing military uniforms or boots, both of which involve CUI but not sensitive national security information. Examples of Level 2 work that would lead to triennial third-party assessments are developing parts for a weapons system, or for a command and control communications system.

Question no. 5: If CUI is bifurcated in Level 2, does this mean there are two types of CUI?

Answer: No, the DoD has made clear that they do not plan to create a different class of CUI. Instead, the type of assessment required will be based on the type of defense contract and its level of criticality, as described above in question no. 4.

Question no. 6: Level 2 (Advanced) will allow organizations handling non-critical CUI to conduct self-assessments. How will the DoD ensure that self-assessments scores submitted to DoD’s Supplier Performance Risk System (SPRS) are accurate?

Answer: When CMMC 2.0 is implemented, SPRS scores will need to be signed off by a company executive, who will be held accountable for the validity of the score. Currently, any employee can sign off on the NIST SP 800-171 self-assessment score; that most often falls to IT staff. The consequences of submitting false or inaccurate SPRS scores are severe.

Futher, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DIBCAC—the DoD’s ultimate authority on compliance—has announced plans to increase the size of its audit staff in response to the very clear need to improve compliance and security in the Defense Industrial Base.

The Department of Justice (DoJ), too, is raising the stakes for compliance with federal cybersecurity regulations with its new Civil Cyber-Fraud Initiative to hold contractors accountable for their cybersecurity. DoJ is now utilizing the power of the False Claims Act to help enforce cybersecurity compliance, and is encouraging whistleblowers to come forward. A new DoJ task force will focus on investigating reports of contractors choosing to withhold reports of breaches or that falsify claims of compliance scores.

Question no. 7: I’ve heard that the DoD will allow some organizations to get waivers for meeting CMMC. How will this work?

Answer: Under CMMC 2.0, DoD intends to allow a limited number of waivers to contractors that exclude CMMC requirements for select mission-critical contracts. The waiver requests will require senior DoD leadership approval and will have a limited duration.

Conclusion

While we answered 7 popular questions here, we’re sure readers have many more points of concern about CMMC 2.0 Please reach out to us with your questions and we’ll do our best to answer them.

You can also check-out our recent CMMC 2.0 webinars to learn more: