CMMC-AB Impromtu November Town Hall: 8 Unanswered Questions and Key Takeaways

Town Hall Overview

On November 9, 2021, the CMMC-AB held an impromptu Town Hall meeting to discuss the release of CMMC 2.0.

They didn’t record the event, so in case you missed it, we’ve done our best to summarize this Town Hall with as much detail as possible.

There were also a lot more questions. We counted over 300 during the course of the meeting.

With the changes announced in the release of CMMC 2.0, there was a lot of interest in what the CMMC-AB would say in this event. The changes affected both the defense industrial base (DIB) and the CMMC ecosystem.

The CEO of the Accreditation Body Matthew Travis noted that over 2,200 people joined this Town Hall event. The following DoD officials also joined the call...

• Jesse Salazar, the Deputy Assistant Secretary of Defense for Industrial Policy
• David McKeown, the Deputy Chief Information Officer (Cybersecurity)
• Buddy Dees, the Director, CMMC Program Management Office

Mr. Salazar spoke first after a brief introduction and review of the agenda by Mr. Travis.  He affirmed the DoD’s unwavering support of bolstering the cybersecurity of the defense industrial base.

Before drafting CMMC 2.0, Mr. Salazar recapped the DOD review process initiated back in March 2021. His recap included a review of the 850 public comments on the interim rule. He also mentioned the internal review from two components of DoD leadership [CIO and OUSD(A&S)].

These reviews led to the identification of clear objectives for the revised program...

• Safeguard sensitive information to enable and protect the warfighter
• Enhance DIB cybersecurity to meet evolving threats
• Ensure accountability while minimizing barriers to compliance to DoD requirements
• Contribute to instilling a collaborative culture of cybersecurity and cyber-resilience
• Enhance public trust through high professional and ethical standards

The establishment of an 18 person executive committee in June 2021, led to a consensus view of the changes made to the CMMC program. Those changes came to light in the release of CMMC 2.0. The four equal co-chairs of this steering group included...

• Jesse Salazar, the Deputy Assistant Secretary of Defense for Industrial Policy
• David McKeown, the Deputy Chief Information Officer (Cybersecurity)
• David Frederick, the Executive Director, U.S. Cyber Command
• Mieke Eoyang, the Deputy Assistant Secretary for Cyber Policy

David McKeown spoke about some of the reasons for the changes announced in CMMC 2.0. The main goal is to streamline the initial requirements and eliminate barriers of entry. He acknowledged that “the first go-around they may have cast too wide a net and attempted to enforce cybersecurity practices on companies that didn’t need to have them because the data they possessed wasn’t sensitive DoD data”.

CMMC 2.0 utilizes a risk-based approach to cybersecurity. It focuses more on the types of data identified by DoD as critical to national security. The CMMC 2.0 cybersecurity and assessment mechanisms based on NIST SP 800-171 is part of a four-prong approach by DoD that also includes...

• Cyber Crime Center and NSA sharing cybersecurity threat intelligence with the DIB
• Incident reporting and forensics of compromised companies to mitigate future threats
• Cybersecurity technical assistance and collaboration

The elimination of the Delta 20 controls yields the management of the NIST SP 800-171 framework back to NIST. If DoD wants to include new practices down the road, they’ll work through interagency requests with NIST. They'll then incorporate those new practices into the existing frameworks.

Buddy Dees started his presentation with a disclaimer that DoD is currently engaged in rulemaking. These program details are subject to change during these processes. This may help explain why the CMMC-AB removed previous Town Hall videos from their website and they didn’t record this Town Hall.

He then covered the changes made in the 2.0 release. Specifically, he spoke about the bifurcation of third-party assessment requirements for the new Maturity Level 2. He said, “For companies that have CUI for programs such as uniform development, that CUI is not always critical as information and data packages associated with weapons systems or command and control platforms.”

For contracts with less-critical CUI, the processes involved will be similar to what already exists with SPRS. He continued explaining this risk-based bifurcation by stating, “We recognize there is a different amount of risk there (between contracts of varying CUI criticality) and the amount of assessment oversight required.”

On the subject of POA&Ms, Mr. Dees added clarity around the time restrictions. He stated that OSCs would have up to 180 days after the date of contract award to close out any open actions.  If the DIB company failed to close open POA&Ms within that timeline, then the contracting officer would have the ability to put in place the appropriate remedies for failure to meet contract requirements. The highest weighted POA&Ms will not be eligible for certification with open POA&Ms and DoD is working to establish a “minimum [SPRS] score” for certifications with POA&Ms.

Another change is the use of waivers on a very limited basis. This is still in development by DoD but the details include...

• The Government program office must submit the application for the waiver as a waiver request package. It must justify that it's mission-critical and includes risk mitigation strategies.
• The waiver will not be endless, it must be time-bound. Timing will depend on a case-by-case basis tied to what the issue is that is driving the waiver.
• Any accepted waiver will need senior DoD approval to ensure the waiver process does not become over-used or abused.

All recommendations made by the executive steering group will now go through the DoD rulemaking process. There will be a 60-day public comment period. It will run concurrently with a 60-day congressional review prior to the rule becoming effective. DoD must publish an interim rule or a final rule before the department can mandate the use of CMMC 2.0. There will be two simultaneous rulemaking processes...

• Rulemaking under 32 CFR will define the CMMC program and the policies (use of POA&Ms, self-assessments, waivers, etc.) associated with it.
• Rulemaking under 48 CFR will codify the requirements in the DFARS to implement the CMMC 2.0 program through the contractual process.

DoD expects the timeline to complete a rulemaking to be 9 to 24 months (which would include the 60-day comment period from the public and congress). There will be no contracts issued with any CMMC requirements until rulemaking is complete. DoD encourages companies to volunteer for Level 2 certification in the interim period through C3PAOs.

Town Hall Questions

• Q: Do the CMMC 1.02 requirements go away with the introduction of CMMC 2.0?

• A:The CMMC 1.02 requirements are gone and the DoD website removed the documentation. The CMMC 2.0 documentation release is still pending, but they hope to have it posted by the end of November. [answer provided by Buddy Dees]

• Q:Will the return to self-attestation be sufficient? Especially, given concerns about how effective it has been with the NIST SP 800-171 requirements.

• A: The CMMC 2.0 website provides clarity to small businesses and addresses some of the cybersecurity challenges that they face.DoD also created a website called Project Spectrum. It also helps companies understand what cybersecurity practices can do to help them safeguard their information. DoD will also require a senior official within a company to sign off on any self-attestations on an annual basis to ensure there is accountability. [answer provided by Jesse Salazar]

• Q: Did you give any consideration to keeping the maturity processes in place but making them a little less strict?
• A: DoD does recognize the importance of the maturity processes that were in CMMC 1.02. Even with them taken out of CMMC 2.0, DIB companies are going to have to have processes to put their practices in place. They will still have to have those processes and procedures but they will not be part of the assessment per se. NIST will be the owner of the framework model and practice requirements. As the DoD identifies new practices or processes, then they will work together to get them added to future NIST documents. [answer provided by Buddy Dees]

• Q: How would I anticipate whether or not I would need a third-party certification or a self-attestation for Maturity Level 2?
• A: We are still working on the details but the concept is clear. DoD is not creating a different class of CUI but the data that is CUI brings different risks to the department.  The DoD will perform the risk assessment and determine what level of verification the DoD should require. The risk analysis will look at the criticality and prioritization of the information based on the impact it would have on DoD from a warfighting perspective.  [answer provided by Buddy Dees]

• Q: Can you talk about the impact of CMMC 2.0 on the current CCP training classes?
• A: The ongoing training will continue to run. But, because they know there are going to be changes coming, the CMMC-AB will make modifications to the learning objectives. The DoD will then provide free delta training to Provisional Instructors, Provisional Assessors, LTPs, LPPs, and CCPs (trained but not yet certified) in preparation for the CPP exam. The CMMC-AB will also need to reschedule the beta exam and public certification exams.  [answer provided by Melanie Kyle Gingrich]

• Q: When would OSCs be able to get voluntary assessments started?
• A: The goal of the PMO is to get the updated model, assessment guide, and scoping guide by the end of November 2021. Finalization of the POA&M requirements must also occur first. They will likely be a factor in every assessment, including assessments of C3PAOs by the DIBCAC. [answer provided by Buddy Dees]

• Q: On Submitting Questions to DoD
• A: Jesse Salazar mentioned that the CMMC 2.0 website has a contact button which allows people to send in questions. DoD wants to make their website the one source of truth and provide clarity where they can. Although Mr. Salazar acknowledges that there are many details need fine-tuning, DoD wanted to signal their strategic direction with CMMC 2.0 to industry.

• Q: Deliberations about the CMMC-AB
• A: Mr. Salazar also acknowledged that there were deliberations about the future of the CMMC-AB in CMMC 2.0.  He added “what we’ve seen over the past 3 or 4 months is a real professionalization of the AB”, acknowledging his appreciation for the efforts of Mr. Travis  improving the policies and practices related to standards of conduct and ethics.  Mr. Salazar affirmed DoD’s intent to stay with the CMMC-AB as the trainer and assessor within the ecosystem.

Conclusion

Sun Tzu once said, “Move not unless you see an advantage; use not your troops unless there is something to gain; fight not unless the position is critical.”

The decision by DoD to keep Maturity Level 1 and a part of the new Maturity Level 2 certifications as self-attestation demonstrates that…

• The advantages of protecting less critical information outweigh the costs of protection resources.
• The risk of antagonizing DIB companies that support our war-fighters.

The refined focus of CMMC 2.0 on prioritized contracts related to national security also tells us two things…

• The position (cybersecurity) is critical.
• The battle to install NIST SP 800-171 in the DIB is worth fighting.