News and Recommendations
DoD released a statement regarding updates to the CMMC model on November 4, 2021. DoD is calling this CMMC 2.0 and has stated it will not become effective until the rule making process for title 32 CFR and title 48 CFR are complete. Until that time, the Department is suspending all CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The current chatter is this will take anywhere from 9-24 months.
DTS RECOMMENDS: While this update is a change, it’s clear CMMC is not going away. On the surface, it appears the DoD is attempting to mitigate the potential loss of SMB DIB contractors by relaxing the initial implementation of CMMC. They may eventually reinstate the CMMC specific practices and maturity processes, as well as the certification requirement later.
Continue moving forward toward compliance with all controls with NIST SP 800-171 controls and all associated documentation including establishing maturity in the procedure-related controls for 800-171.
It’s critical for SSPs and POA&Ms to be accurate and to report cyber incidents in a timely manner if your contract(s) require self-attestation.
- The final CMMC Rule will be coming out sometime between April – July 2021
- Certified Assessor will not be available until Summer/Fall 2021. The Licensed Training Providers were just recently approved and are ramping up their training program. The first training programs are expected to be available in April 2021.
- DFARS Provisions 252.204-7019 & 252.204-7020 are only applicable to contractors required to implement the NIST SP 800-171 standards per DFARS Provision 252.204-7012.
DTS RECOMMENDS: Contractors should look in Section L of their contracts to see if it includes 7012. Provisions 7019 and 7020 are not retroactive on current contracts but will apply on contract options and recompetes.
- The CMMC Pilot Program (Year 1 CMMC Contracts) will include contracts from:
- Army, Navy, Air Force, Missile Defense Agency, Defense Logistics Agency
- The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is exploring opportunities to pursue CMMC pilots outside of the DoD to include: GSA, DHS, and possibly the Department of Interior