CMMC 2.0 is Coming – In a Year or Two

CMMC just became more complicated or more simple.

The feds published an advance notice of proposed rulemaking (ANPR) for CMMC 2.0 and then just as quickly, unpublished. The Federal Register, the place were office notices are published only said that they asked for it to be unpublished.

So people saw the ANPR for about 18 hours and here is what they saw:

  • CMMC Levels 2 and 4 would be removed. Since DoD already said they don’t plan to use them, that is not a big deal.
  • CMMC Level 1 would be a self assessment. Whether this is important depends on the consequences of lying. After all, the current 800-171 is pretty much a self assessment.
  • The process maturity sections of CMMC would go away. This is a big loss because without process maturity you really haven’t integrated security into the culture.

There seems to be a big disconnect between what is CUI and what is not. I was involved in a long conversation today where the customer of a three letter agency was saying, in their contract, that the names and personal information of contractor employees was CUI.

For now all assessments and certifications are on hold.

It also means that all of the companies in the CMMC ecosystem, from trainers to certifiers, are wondering about their investments. Some invested a lot of money.

On the other hand, DFARS 252.204-7012 and its underlying requirements of NIST SP 800-171, which is about 80% of CMMC version 1, Level 3, is still there and does not appear to be going away.

Was the release of CMMC 2.0 a mistake? A trial balloon? Intentional sabotage? No one is saying.

Personally, I think it was a trial balloon, but who knows.

Reports are that it will take the feds at least a year from now to develop the regulations behind CMMC 2.0 and that assumes that it doesn’t change from what was leaked. Of course, that is just a rumor. For all we know it could drop next week.

What we do know is the pilot program is suspended and contract requirements are being removed.

It is our recommendation that customers who are not fully compliant with 800-171, which your contract says that are currently certifying that you are, need to continue working towards becoming fully compliant. The DoJ announced two weeks ago that they intend to prosecute folks who lie about that. How aggressive that is going to be is unknown. What is known that the feds currently make around $5 billion a year from these prosecutions. Great revenue stream. And, whistle blowers can get up to 30 percent of that.


Here is what other people are saying.

JDSupra says that the Pentagon is suspending the pilot and the DoD is evaluating how it could “provide incentives” to companies that voluntarily get certified in the interim. That is a different twist. Do it now and we pay for it, do it later and you pay for it? Interesting.

They also say the self certification is for “some circumstances”.

Finally, they say that the new level 2 would be split into prioritized programs which will require third party certification and other programs which will require annual attestations by corporate officers, similar, I am guessing, to Sarbanes Oxley. People who lie there could be prosecuted, jailed or debarred.

They are also saying that it is possible that there may be a waiver process for some particular controls.

A lot of unknowns.

The Pentagon has some very high level stuff at the Office Of Acquisition and Sustainment’s website, even though it is rumored that they will be losing management responsibilities of the program. It may be moving over the the DoD CIO, but that is currently a rumor. What is a fact is that A&S has not done a great job over the last year. They say that the Pentagon wants to simplify things for small businesses, which is good, while protecting the national security, which is hard.

In the meantime, the Chinese, Russians, North Koreans and others continue to rob us blind.

Is everything clear?


So, as I said, work on 800-171 compliance and stay tuned. Could be tomorrow, could be a year from now.


Leave a Reply

Your email address will not be published.