I just watched a DoD town hall on their current thoughts on CMMC 2.0.
Here are some of the highlights:
- CMMC 2.0 has been stripped down to NIST SP 800-171 (we already knew that)
- DoD has already had several meetings with NIST about adding (at least some of) the things that were in CMMC 1.0 into 800-171 Rev 3. We know that DoD said that was their plan. It is interesting that they are actually doing that, quickly. In fairness, it will take NIST a while to release Rev 3.
- Remember that bifurcate thing that we all looked at each other and said HUH? Or possibly some other adult word. For those of you who were not watching, they said that they were going to take the new CMMC level 2 (which is the old CMMC level 3 or CUI holders) and split it in two. The lower end of level 2 could now self certify (if history is any indicator, according to the DoD itself, that means that more than 80% of those people self certifying will be lying) and the upper half of level 2 would need a third party certification. Well, it seems, the DoD also said “HUH?” and has changed their mind again. Now they are saying that all level 2 holders will need a third party certification. Why? Because they have no intelligent way to figure out why my CUI is important and needs a third party certification and yours does not. At least anything that stands a snowball’s chance in hell of standing up in court and we know that DoD does not need a thousand lawsuits on their hands.
- The DoD had previously said it would take 9-18 months to craft the new rules. Today they said 24 months.
- They did not say this, but if they can change their mind about something as important as bifurcation in only two months, expect more changes in the next 24 months. This is why we say focus on 800-171. That seems very stable.
- I think you should expect more enforcement of the -7012 and -7020 DFARS in the interim. There is no reason not too and all that would take is someone to tell the contracting officers to do it.
- I spoke to a client today who is being asked to sign a certification of compliance with -7012 and -7020 AS A PREREQUISITE to getting the contract. In theory this has been mandatory since December 2017, but enforced unevenly. If DoD wants contractors to improve their security with minimal rule changes on DoD’s side, all they need to do is start enforcing the existing clauses.
- The problem, if DoD does enhance the enforcement of the -7012 and -7020 DFARS, is that a lot of contractors may be reluctant to knowingly falsely signing a government document. This is especially true after the Department of Justice publicly said last fall that they plan to go after folks that do that. No one wants to get attention from the DoJ.
So, my assessment of CMMC is this. It is going to happen. It is going to take a while. Initially, it will look a whole lot like NIST 800-171. DoD will step up the enforcement of the -7012 and -7020 DFARS clauses and there is very little that contractors will be able to do to dodge that requirement. DoD will continue to put pressure on the primes, especially the big primes to get their subs under control and primes may be challenged to find new subs that are compliant or at least willing to say that they are compliant.
Regarding falsifying that compliance statement – remember that the False Claims Act lets the government give a tipster up to 30% of the fine that they collect. A disgruntled ex-employee, sub that lost out on the deal, vendor, many people who have a score to settle might just find that appealing.