CMMC News

News and Recommendations

DoD released a statement regarding updates to the CMMC model on November 4, 2021. DoD is calling this CMMC 2.0 and has stated it will not become effective until the rule making process for title 32 CFR and title 48 CFR are complete. Until that time, the Department is suspending all CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The current chatter is this will take anywhere from 9-24 months.

DTS RECOMMENDS: While this update is a change, it’s clear CMMC is not going away. On the surface, it appears the DoD is attempting to mitigate the potential loss of SMB DIB contractors by relaxing the initial implementation of CMMC. They may eventually reinstate the CMMC specific practices and maturity processes, as well as the certification requirement later.

Continue moving forward toward compliance with all controls with NIST SP 800-171 controls and all associated documentation including establishing maturity in the procedure-related controls for 800-171.

It’s critical for SSPs and POA&Ms to be accurate and to report cyber incidents in a timely manner if your contract(s) require self-attestation.

  • The final CMMC Rule will be coming out sometime between April – July 2021
  • Certified Assessor will not be available until Summer/Fall 2021. The Licensed Training Providers were just recently approved and are ramping up their training program. The first training programs are expected to be available in April 2021.
DTS RECOMMENDS: If you haven’t begun preparing for your CMMC assessment in earnest, you risk missing key deadlines for new contracts. Contractors needing a CMMC certification for a pilot program award in FY2021 will be eligible for an assessment from a Provisional Assessor with proper documentation provided to the CMMC-AB.
  • DFARS Provisions 252.204-7019 & 252.204-7020 are only applicable to contractors required to implement the NIST SP 800-171 standards per DFARS Provision 252.204-7012.

DTS RECOMMENDS: Contractors should look in Section L of their contracts to see if it includes 7012. Provisions 7019 and 7020 are not retroactive on current contracts but will apply on contract options and recompetes.

  • The CMMC Pilot Program (Year 1 CMMC Contracts) will include contracts from:
  • Army, Navy, Air Force, Missile Defense Agency, Defense Logistics Agency
  • The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is exploring opportunities to pursue CMMC pilots outside of the DoD to include: GSA, DHS, and possibly the Department of Interior
DTS RECOMMENDS: CMMC is still a DoD program but they are “welcoming participation” from other agencies. This news makes it even more of an imperative for contractors to have a long-term cybersecurity strategy in place – AND to forecast and budget for continuous upgrades and training to mature their practices. Until October 1, 2025, CMMC requirements will only be included in new acquisitions with the approval of OUSD(A&S)/OCISO(A&S).

A final tip…

When searching for Cyber Security Consultants and C3PAOs, ensure that you are selecting yours from the CMMC-AB Marketplace. There are many “poser” marketplaces out there, especially for C3PAOs, and contractor companies are not getting what they’re paying for. View all of the latest CMMC News

Share this Article

Share on facebook
Share on twitter
Share on linkedin
Share on email