CMMC 2.0 : The Sky is NOT Falling!

Updated: February 16, 2022.
Original post: November 4, 2021.

Big changes are coming to Cybersecurity Maturity Model Certification (CMMC), but there is little impact in the short term to the path forward for DoD contractors.

This post is my personal interpretation and opinion on information released from official sources about CMMC 2.0. This should not be construed as legal or contractual advice. No warranties are expressed or implied.

Overall Recommendation to DoD Contractors

Stay the course to raise your SPRS Score and prepare for audit as early as 2024. More detailed recommendations below.

CMMC 2.0 Explained

The DFARS Interim Rule (DFARS 252.204-7012/7019/7020/7021) is still in effect, with the exception that CMMC Pilot programs have been suspended. Click here for more information on the DFARS Interim Rule.
CMMC 2.0 is not yet in effect. It will not be required until a rule is published in the Federal Register that states the effective date it can go into contracts. DoD OUSD(A&S) estimates the rulemaking process could be finished anytime between August 2022 and November 2023.
CMMC 2.0 may change significantly by the time the rules are published. Responsibility for the CMMC program has moved to the DoD Chief Information Officer (CIO) from DoD Acquisition & Sustainment (OUSD A&S). This means more changes are likely to come.
UPDATE 2/2022: CMMC Audits will be required for all DoD contractors processing Controlled Unclassified Information (CUI). The audits will be conducted by CMMC Third-Party Assessment Organizations (C3PAO). This is according to the DoD Deputy CIO and overrides prior information from OUSD(A&S) about “bifurcation” that would have only required audits for DoD contractors processing the most sensitive data.
CMMC 1.0 Level 3 is replaced by CMMC 2.0 Level 2. It will only require controls/practices "aligned with" the 110 NIST SP 800-171 controls instead of the 130 CMMC 1.0 Level 3 controls/practices and 49 Maturity Level processes.
CMMC 1.0 Levels 4-5 are replaced by CMMC 2.0 Level 3. It will require unspecified controls/practices "based on" NIST SP 800-172 in addition to the 110 controls/practices "aligned with" NIST SP 800-171.
Plans of Action & Milestones (POA&M) will be permitted; however, deficient controls must be "time-bound" and "enforceable". There will also be a waiver process that is "selective" and "time-bound".

Detailed Recommendations to Contractors

Focus on the 110 NIST SP 800-171 controls that comprise your DoD SPRS Score. Click here for a FREE tool for conducting a DoD Self-Assessment and calculating your SPRS Score.
Use an experienced third-party assessor to perform a Gap Assessment that will:
- Conduct or validate your DoD Self-Assessment;
- Create the System Security Plan (SSP);
- Create the Plan of Actions & Milestones (POA&M);
- Properly follow the required DoD Assessment Methodology;
- Help ensure the accuracy of the SPRS Score you report to the Government; and
- Provide a cost-efficient and effective roadmap towards increasing your SPRS Score and becoming fully compliant.

Leverage an experienced Compliance Engineering Team and/or Managed Service Provider to remediate your compliance issues and determine the best and most cost-efficient solutions for your DFARS, SPRS, and eventual CMMC 2.0 compliance.
The 20 additional CMMC 1.0 controls/practices are planned to go away, but still evaluate them because they will still improve your Cybersecurity. Some of these controls may appear in a future revision of NIST SP 800-171, so implementing them now will prepare for the future.
The CMMC Maturity controls/processes are planned to go away, though can still be used to evaluate the maturity of your Cybersecurity posture.
Self-Assessment and SPRS Score reporting is still required for DFARS compliance. Formal audits prior to CMMC 2.0 may be triggered by a security incident. Government contracts can still request to see/review your System Security Plan (SSP) and Plan of Actions & Milestones (POA&M).