The Cybersecurity Maturity Model Certification (CMMC) program began with the ambitious goal of introducing compliance and oversight to roughly 300,000 defense contractors. Not surprisingly, this came with its share of controversy. Ultimately, industry feedback prompted the Pentagon to revise and simplify the CMMC program, unveiling CMMC 2.0 in November 2021.
Changes to the compliance framework include the outright elimination of certain CMMC programs, including some that keen participants in the ecosystem have already paid for. On November 30th 2021, the CMMC Accreditation Body (CMMC-AB) hosted an online Town Hall to address their plan for refunds and the broader CMMC 2.0 roadmap:
CMMC-AB November 2021 Town Hall Summary
The Town Hall kicked off with greetings from CEO Matthew Travis, who notes that CMMC 2.0 was rolled out only three weeks prior. As a result, many things are still in motion and the program continues to evolve. Although CMMC 2.0 continues to take shape, its primary focus remains the cybersecurity control standards laid out in NIST 800-171 and 800-172, which detail processes for securing Controlled Unclassified Information (CUI) depending on the “Level” in which your organization falls:
Refunds and Renewals
Having received many questions on this topic, Mr. Travis started by addressing the refunding of certain fees collected by CMMC-AB.
Exam Vouchers – Mr. Travis explained that the CMMC-AB initially sold bundles of exam vouchers, purchased by individuals who aspired to become assessors. However, CCA-1 was obviated by the CMMC 2.0 changes, rendering the entire line of training irrelevant (although CCP, as will be discussed around 17:20, remains active and valid).
- The CMMC-AB is reaching out by email to offer refunds to anyone who purchased CCA-1 exam fees as a bundle.
- Alternatively, the fee can be applied to the cost of the revised CCA. The CCA-1 fee was $275 while the new exam fee is $350, representing a cost savings of $75.
- Finally, you can store the fees as CMMC-AB credit, also worth $350. Clearly the CMMC-AB is keen to promote continued participation in the ecosystem.
The CMMC-AB is hoping to have all refunds processed by Christmas 2021. If you believe you should be entitled to a refund but have not been contacted by the CMMC-AB, you can contact them at [email protected].
C3PAO Assessment Vouchers – The board determined that charges for C3PAO assessments simply did not align with their vision, particularly as they work towards ISO recognition. They ultimately decided that this program should be eliminated and will be reaching out by email to provide refunds for all C3PAOs who purchased assessment vouchers.
The first wave of Registered Practitioners (RPs) and Registered Provider Organizations (RPOs) are now in renewal season and the AB invites them to renew their credentials.
Mr. Travis then went on to introduce a graphic representation of the new CMMC 2.0 model.
Level 1 requires self-attestation, a lower threshold for security justified by the fact that many small companies are only processing FCI (Federal Contract Information) rather than Controlled Unclassified Information (CUI). Companies are strongly encouraged to reach out to outside experts to understand and validate what they are attesting to.
Level 2 is split between prioritized and non-prioritized acquisitions, a divide used to carefully manage the scale of the ecosystem. Companies not required to be certified at this time are still encouraged to get certified – the CMMC-AB touts CMMC Accreditation as a mark of honor, setting companies apart from competitors!
Level 3 will be reserved for the DoD itself certifying the security of large contractors with more complex contracts. Mr. Travis speculated that this level may ultimately be in addition to (rather than instead of) Level 2 certification, leaving a role for C3PAO assessors (confirmed later in the Town Hall by the CMMC-AB’s Wayne Boline).
Training & Certification
Ms. Kyle Gingrich, CMMC-AB VP for Training, explained that although there will no longer be a CCA-1 certification, CCP and CCA certification exams will still be offered. Ms. Gingrich stated that there remains a need for assessors and the shift to CMMC 2.0 will enable quicker scaling and a faster roll-out.
Because some of the finer details concerning CMMC 2.0 have yet to be finalized, it’s not yet known whether the reduction in levels (from five to three) and removal of content will require changes to the CCP and CCA exams. The CMMC-AB is waiting for documentation in order to make sure their work is fully aligned with DoD.
CCP’s planned December 2021 beta was delayed due to the CMMC 2.0 rollout; a new timeline has not yet been confirmed. Eventually, online training content will be available to bridge the gap between CMMC 1.0 and 2.0. This will also allow LTPs and LPPs to update their materials.
Ms. Gingrich emphasized that everything continues to move forward and CCP remains relevant: they need assessors to fill the pipeline due to the sheer scale of the Defense Industrial Base.
Defense Industry Perspectives
Allison Krache Giddens, President of Win-Tech, spoke on behalf of the CMMC-AB Industry Advisory Group (IAG). In particular, she expressed relief that CMMC will accept POA&Ms but remains concerned about a potential bottleneck of third-party assessors.
Questions and Answers
One recurring question concerned accountability for self-attestations. The requirement for senior company officials to make those attestations will help support accountability, and there were allusions to potential legal risks (such as under the False Claims Act) for companies found to make fraudulent attestations. The DoD may also take further steps to enforce accountability in this area.
Finally, Mr. Travis reiterated the government’s estimated timeframe for CMMC 2.0 roll-out, which ranges from 9-24 months.
We will continue to closely follow the CMMC-AB and report when significant changes are announced. In the meantime, DoD contractors should already be working towards achieving compliance depending upon the CMMC assessment category they fall under.
As a fellow DoD contractor, we can attest that the compliance journey is a long one. However, CMMC 2.0 has given us significantly more “runway” – so we ought to use it! If you need help with your compliance journey, we talk about everything you need to know regarding NIST 800-171, DFARS 7012, and CMMC in our Workshops. Or just send us a message!