Transitioning to CMMC 2.0 – The Five Stages of Grief

Late last week, the Pentagon put out a memo that stuck a knife in the heart of CMMC 1.0, to replace it with the new and shiny CMMC 2.0! CMMC is dead, long live CMMC!

Since that came out, social media and websites have been buzzing with what it means to organizations, assessors, and the government agencies that are supposed to be requiring these security controls. It is now 7:15pm on Tuesday, November 9th, and I just got off the Town Hall call with the CMMC-AB (Accreditation Body) and decided to put down some observations as well as tongue in cheek thoughts while they were fresh.

Let me premise what follows by saying I believe in a strong cyber posture, and strongly believe the only way the country’s infrastructure remains intact is by enacting good cyber hygiene. So, any snarky remarks that slip out by accident, keep that in mind.

I started looking at the death of CMMC 1.0 through the classic five stages of grief. I’ve been working on this for a long time now, and a loss like this stirs up many emotions. Such as:

Stage 1: Denial – I actually saw the news, and the first thing I thought was, “this can’t be true, it’s just another example of an internet story someone got wrong! They wouldn’t do a left turn like this when we were so close to certifying assessors and conducting assessments!” But they did.

Stage 2: Anger – After all the work I put in! All the studying, education of peers, advice to clients. How dare they!!!

Stage 3: Bargaining – I heard this in some of the questions on the Town Hall call. Roughly 2200 people attended, and there were literally hundreds of questions, many asking if we could bring back some of what was left out.

Stage 4: Depression – I was pretty sure I knew at least as much as most people about CMMC. Now I’m back at square one again.

Stage 5: Acceptance – Ok, now that I’ve raged against the machine and the dying of the light, let’s see what the story is here…

Right from the CMMC-AB site:

Level 1 is the same as before. CMMC 1.0 level 2 and level 4 are GONE! This is a good thing, since no one really did anything with them. The old level 3 is now level 2, and the old level 5 is now Expert level 3. As I learned on the Town Hall call, that level is still in flux, and not fully vetted out yet, but will be reserved for those companies that need the highest level of security certified.

Level 2 (old level 3) will now ONLY be NIST 800-171. No more extra CMMC controls, no more maturity processes. Level 3 (old level 5) will be based on 800-172, but not 100%. Like I said, they haven’t locked that one down yet.

Other noteworthy items:

• Because of the changes, certifications are no longer required at this time, and will not be required until CMMC 2.0 has gone through the rulemaking process, 9-24 months.
• Level 1 will no longer require formal certification but will instead have an annual self-assessment requirement.
• Level 2 will be split. For CUI that is not deemed a critical security threat, those organizations can self-assess. For high-risk CUI organizations (think aerospace, critical infrastructure, etc.), certification will still be required.
• Level 3 is still being developed. Don’t believe anyone who says otherwise!

Here’s a quick recap:

Other items of note:

• All or nothing at all – In CMMC 1.0, certification was a pass/fail option. Either you hit every control, or you failed. This is no longer the case. Once again aligning with NIST, CMMC 2.0 allows for a Plan of Action and Milestones, or POAM. While it will not be able to be used for critical controls (not defined yet) if you don’t meet all 110 controls of NIST 800-171, you will be able to create a plan of remediation to get compliant within a certain timeframe (six months was floated on the CMMC call).
• There are still only five C3PAO organizations (companies that can certify organizations to CMMC), and no Certified Practitioners (Assessors) other than the provisional ones because assessor exams have still not been created and will now need to be modified for CMMC 2.0 (as will the training itself)!

So, what does this all mean?

1. Don’t stop what you’re doing! – The whole point to CMMC was to get cybersecurity processes in place and allow organizations to feel secure and know data is protected. This hasn’t changed at all.
2. Keep moving forward! – Those of you that were moving to CMMC level 3 (old level 3) should keep doing so, now with the knowledge you need to hit NIST 800-171 instead, which was 90% of CMMC level 3 anyway! If you’re into the process, review it, but almost all the controls still apply, and if you have CUI, still apply!
3. Current requirements haven’t changed! – This one might be the most important. Even though you were working towards CMMC, current requirements include the DFARS 7021 requirement to submit and maintain a NIST 800-171 self-assessment in the DOD’s Supplier Performance Risk System (SPRS). If you needed to do that before, you need to do that now! If you’re missing controls, now is the time to plan to get them corrected!

At the end of the day, if you still need help understanding NIST 800-171, CMMC, performing a risk assessment or gap analysis, or any other related subjects, please do not hesitate to reach out to our team! Compass IT Compliance has been working on the forefront of the Department of Defense regulatory landscape for the past decade, and our experts would be happy to answer any questions you may have! Visit our services page to learn more about the solutions we offer.