Late last week, the Pentagon put out a memo that stuck a knife in the heart of CMMC 1.0, to replace it with the new and shiny CMMC 2.0! CMMC is dead, long live CMMC!
Since that came out, social media and websites have been buzzing with what it means to organizations, assessors, and the government agencies that are supposed to be requiring these security controls. It is now 7:15pm on Tuesday, November 9th, and I just got off the Town Hall call with the CMMC-AB (Accreditation Body) and decided to put down some observations as well as tongue in cheek thoughts while they were fresh.
Let me premise what follows by saying I believe in a strong cyber posture, and strongly believe the only way the country’s infrastructure remains intact is by enacting good cyber hygiene. So, any snarky remarks that slip out by accident, keep that in mind.
I started looking at the death of CMMC 1.0 through the classic five stages of grief. I’ve been working on this for a long time now, and a loss like this stirs up many emotions. Such as:
Stage 1: Denial – I actually saw the news, and the first thing I thought was, “this can’t be true, it’s just another example of an internet story someone got wrong! They wouldn’t do a left turn like this when we were so close to certifying assessors and conducting assessments!” But they did.
Stage 2: Anger – After all the work I put in! All the studying, education of peers, advice to clients. How dare they!!!
Stage 3: Bargaining – I heard this in some of the questions on the Town Hall call. Roughly 2200 people attended, and there were literally hundreds of questions, many asking if we could bring back some of what was left out.
Stage 4: Depression – I was pretty sure I knew at least as much as most people about CMMC. Now I’m back at square one again.
Stage 5: Acceptance – Ok, now that I’ve raged against the machine and the dying of the light, let’s see what the story is here…
Right from the CMMC-AB site:
Level 1 is the same as before. CMMC 1.0 level 2 and level 4 are GONE! This is a good thing, since no one really did anything with them. The old level 3 is now level 2, and the old level 5 is now Expert level 3. As I learned on the Town Hall call, that level is still in flux, and not fully vetted out yet, but will be reserved for those companies that need the highest level of security certified.
Level 2 (old level 3) will now ONLY be NIST 800-171. No more extra CMMC controls, no more maturity processes. Level 3 (old level 5) will be based on 800-172, but not 100%. Like I said, they haven’t locked that one down yet.
Other noteworthy items:
Here’s a quick recap:
Other items of note:
So, what does this all mean?
At the end of the day, if you still need help understanding NIST 800-171, CMMC, performing a risk assessment or gap analysis, or any other related subjects, please do not hesitate to reach out to our team! Compass IT Compliance has been working on the forefront of the Department of Defense regulatory landscape for the past decade, and our experts would be happy to answer any questions you may have! Visit our services page to learn more about the solutions we offer.