Home » CMMC 2.0 – Extended-Release Dates Among Rule-Making Delays

Publication date: March 15, 2022

CMMC 2.0 – Extended-Release Dates Among Rule-Making Delays

Increased opportunities for self-attestation for qualifying organizations.

Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

In this article, we look at factors affecting DoD CMMC 2.0 Release Date.

Since its initial release in the fall of 2021, the original CMMC model (now referred to as CMMC 1.0) received pushback from smaller and medium-scale corporations who vocalized their opinion that a self-assessment should serve as appropriate for operators who are not handling sensitive CUI. As a result, early last November, the DoD announced that the newly released CMMC (Cyber Security Maturity Model Certification) security model would be receiving an immediate makeover to create a leaner and cleaner guideline, with the intention of creating a more collaborative relationship with the industry and creating increased opportunities for self-attestation for qualifying organizations. CMMC 1.0 (as it’s now known) has been officially retired and the replacement, CMMC 2.0, remains in the early stages of Rule-Making and initial review. In early February, a directive from Kathleen H. Hicks, Deputy Secretary of Defense, re-assigned the responsibility of the CMMC 2.0 away from the USD (A&S) and over to the DoD in order to establish united leadership and guidance for all cybersecurity interests and programs. 

This week, both the DoD and the CMMC-AB held Town Halls to update the progress of CMMC 2.0. The CMMC-AB advised on continued available training for CMMC auditors wishing to become certified and enter the marketplace, mentioning that the 6th C3PAO was recently accepted into the marketplace and that currently, the applications for RPs, RPOs, and LTPs have doubled since February of 2021. The Delta training for CCP candidates who have completed CCP 1.0 courses was released on the 15th of February, and Delta training for Registered Practitioners (RPs) is expected to be released by March 1st. The training is anticipated to take 2-3 hours to complete. 

The DoD Town Hall re-outlined the approved proposed adjustments that will be incorporated into the new model 2.0. This includes eliminating both Levels 2 and 4, which were considered “transition levels” and creating a leaner model with 3 tiers, Foundational, Advanced, and Expert. The DoD feels that the CMMC 2.0 addresses the self-assessment concerns which spurred the re-evaluation, which now had been adjusted to allow self-attestation for all companies who fall under Level 1.  Level 1 companies hold federal contracting information only, not critical programs or CUI. Companies included in the Level 2 designation and higher will be evaluated on a case-by-case basis to be considered for self-attestation for infrequent exceptions. There was mention as well that the removed control items from CMMC 1.0 could possibly be added back into the requirements for NIST 800-171.

The main takeaways from the Town Hall updates are as follows: 

  • Rulemaking is still in progress, but the finalization of the CMMC DFARS may take up to 2 years. (Last September the estimate was  9-24 months)
  • As a result, an implementation may be pushed back and it could be as long as 3 years before CMMC is required in government contracts.
  • Most Contractors (approx. 80,000) Level 2 and above possessing CUI will likely require a 3rd party assessment, this differs from the original thought that CMMC 2.0 would provide more opportunities for self-attestation. 
DoD CMMC 2.0 Release
Fig. 1

What does all of this mean? 

Despite the delay, while the DoD is working on Rule-Making, it is important to remember that all indications state that Level 2 or higher companies will still be expected to conform to the CMMC requirement for third-party attestation of compliance. Has your company determined if this third-party attestation is necessary for certification? 

If so, keep in mind that even with the extended delay before we’ll see CMMC 2.0 certification requirements appear in RFPs, the rule’s forthcoming is inevitable and the preparation for this assessment can be intricate and time-consuming. In order to be as proactive as possible, conducting an objective Gap Assessment is an important first step towards assessment to be as confident as possible going into the CMMC 2.0 assessment by a certified C3PAO.  

By calling Elevate, you can make the process of becoming compliant much less painful. Our Elevate professionals will prepare your firm for your formal assessment by a certified C3PAO with a thorough CMMC Gap Assessment with remediation advice. 

Related posts

Contact Elevate today to learn more about Insights | IT Compliance and Privacy

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm