Questions and Answers From The CMMC Version 2.0 Update Webinar

In this blog, you will find curated questions and answers pertaining to the DoD's CMMC update. These inquiries came from an industry group of over 900 DoD suppliers during the CMMC 2.0 Update Webinar with Robert Metzger, Jacob Horne, and Scott Edwards. Portions of the webinar will be added to this blog and the Summit 7 Youtube channel. To stay up to date on CMMC 2.0 and compliance updates for the DIB be sure to subscribe to the Summit 7 YouTube channel

The questions below are sorted by topic, with the questions in the bolded font and their respective answers sub-bulleted beneath them. Topics in this blog include (click to navigate):

CMMC 1.0 versus CMMC 2.0 / DoD Rulemaking


  • Where is the CMMC 2.0 equivalent to the CMMC 1.0 Appendices document?

    • The DoD and CMMC AB have said that updated documents for CMMC 2.0 will be released by the end of November - perhaps early December. For now, the ground truth remains NIST SP 800-171 revision 2 and NIST SP 800-171A for requirements at CMMC 2.0 level 2. For CMMC level 3, the source of truth is NIST SP 800-172.
    • NIST SP 800-172A (the corresponding assessment guide) is expected to be published by NIST in early 2022.

  • The mixup of CMMC levels is confusing. Is there a roadmap from 1.0 to 2.0?
  • Given the 9-24 month timeline for CMMC 2.0, is another interim rule expected? Does that slow down the imposition of CMMC requirements in contracts?
    • Based on the statement that DoD will pursue rulemaking in 32 and 48 CFR, there will likely be two new interim rules published in a staggered manner.
    • The DoD estimates that the process for completing rulemaking will take 9-24 months.

  • As it relates to CMMC 1.0 Level 3 (130 controls) -> Now CMMC 2.0 Level 2 (110 controls), what happens to the additional 20 controls?
    • The additional 20 controls were considered to be "CMMC-unique."
    • As a result, the "delta 20" controls were removed and are no longer required.

  • Any insight as to why the proposed rule has not been re-published? It does not show up in the Federal Register - thoughts?
    • The current interim rule will likely not be republished since the requirements of the interim rule still stand. DFARS 252.204-7019 and DFARS 252.204-7020 are still required and flowing through the defense supply chain.
    • DFARS 252.204-7021 merely exists to indicate when CMMC certification is required. The process of including 7021 on a case-by-case basis is on pause so the current interim rule is unaffected.

  • With maturity controls gone, policies can be used for evidence, but someone can't fail due to the way their policies/procedures/etc are put together - is this correct?
    • Correct. The process maturity requirements under CMMC 1.0 represented content minimums for documentation such as policies and procedures. Nearly all of the process maturity requirements were just restatements of existing NIST SP 800-53 controls (the "-1" controls that appear first for every control family).
    • While you won't fail for missing those assessments objectives under CMMC 2.0, documentation is still effectively required in order to properly facilitate an assessment and provide assurances to the assessors. Check out NIST SP 800-171A for the numerous pieces of documentation that are sometimes required via assessment objectives and always fair game as examinable assessment objects.

  • Is the DoD changing the model and not the program because the cost of certification has not been mentioned? This is key for small DIB members.
    • The DoD is claiming that costs, burdens, and barriers to entry are significantly reduced as a result of the changes in CMMC 2.0. However, the accounting for these savings and reductions is done for the overall CMMC program, not for individual companies.
    • The allowance of POAMs, the removal of the "delta 20" controls, and the removal of process maturity requirements are the basis for significant cost reductions. Yet, if an OSC's costs and burdens was a result of NIST SP 800-171, then these changes are not as helpful as the government is indicating

  • During a recent AB town hall, it was mentioned that congress will be involved - is this typical of rule making, or is this added oversight that may add time?
    • Rule making is often triggered by direction from Congress. For example, much of the impetus for the current CMMC interim rule was a result of the FY 2020 NDAA. You can find Congressional inputs, requirements, and references in many rules that are created across the various departments and agencies. Executive orders are also primary catalysts for rule making such as the recent software security executive order (EO 14028) or the original CUI executive order (EO 13556).

  • Is any cost recovery available related to CMMC 2.0 changes?
    • No details about cost recovery have been published.
    • The DoD will likely address cost recovery in rule making. However, the DoD has addressed cost recovery multiple times over the years in previous DFARS rule making. There does not appear to be any reason to believe that this position will change -- especially when the cost of compliance with CMMC 2.0 level 2 consists of controls the DoD expects are already implemented.
  • Is the DoD going to keep the CMMC numbering of the practices or are they just going to use NIST numbering?
    • Details regarding the format of control ID's have not been released. Updated CMMC 2.0 documentation is expected before the end of 2022.


Assessments and Certification / Costs

  • At what point does CMMC 2.0 Level 2 change from self-assessment to requiring an audit?
    • The details regarding data criticality decisions have not been released, but are expected to be explained via rule making. However, such decisions will likely remain up to the government program manager, requiring activity, contract officer, the prime contractor, etc.

  • What's the average cost for a CMMC LEVEL 2 assessment?
    • New cost estimates are expected to be outlined during rule making.

  • Since the original plan for C3PAO's mandated assessment under L3 of the old model, what happens with those assessments under the new 2.0 architecture? Do C3PAO's fall under the L2 "prioritized" assessment track or the self-assessment track?
    • C3PAO's will still need to be certified. Currently, C3PAO's are assessed by DCMA DIBCAC. Specific details about this process haven't been released, but there is little reason to believe that C3PAO's would be allowed to self-attest.

  • Does this mean that C3PAO's will only certify the subset of level 2 and not level 3?
    • That is correct. DoD through DCMA will certify level 3 through their DIBCAC assessments.

  • Won't the assessments be done by the government? So, the 3rd Party Assessment costs are no longer a factor, correct?
    • Details regarding assessment costs have not been released, but should be outlined during rule making. DoD's strategic intent states that non-governmental third-party assessment costs (CMMC level 2) "will depend upon several factors including the CMMC level, the complexity of the DIB company’s unclassified network for the certification boundary, and market forces."
    • Resource: Understanding DoD's Strategic Intent: Part 1

  • Will there be a sample language for “a senior company official must sign a self-attestation annually” or will companies have to formulate their own?
    • Details regarding the format and process of official attestations will likely be covered during rule making.

  • If CMMC Level 3 cert assessments are conducted by the Gov, can an OSC request a Level 3 assessment, or will DoD make the determination as to who can and cannot have a Level 3 assessment?
    • The details on this process have not been released. However, the DoD's strategic intent says that CMMC level 3 will be required for companies running critical programs. This almost certainly means large prime contractors. Much of the defense industrial base receives CUI flowing from critical programs but doesn't operate a critical program in and of itself.
    • This begs the million-dollar question of how data criticality will be determined. That being said, CMMC level 3 assessments will be conducted after CMMC level 2 assessments because NIST SP 800-172 controls are mostly enhancements to the primary controls listed in NIST SP 800-171.

  • The government indicated it was renegotiating its contract with the CMMC AB. Will CMMC AB’s role be reduced as the government becomes more involved in the execution and operation of the program?
    • Details about the relationship between the CMMC AB and the government are released during official AB announcements and CMMC AB town halls. The relationship between the organizations moving forward is unclear.

  • If within the past year someone has had a DIBCAC High confidence assessment and scored a 110, will they be required to have a CMMC L2 assessment?
    • Details for any gap or delta assessments haven't been released, but should be covered via rule making.

  • Approximately how long will it be before an OSC can request a CMMC L3 assessment? Should people get an L2 assessment from a C3PAO in the meantime?
    • It is unclear if OSCs will be able to request a level 3 assessment from the government.
    • It is also unclear if OSCs will be able to get a level 3 assessment from a C3PAO, even if they are willing to foot the bill. Whether an OSC "should" get a level 2 assessment is a complex business decision.
    • The DoD has indicated that there will be aggressive incentives for companies that achieve certification during the interim (rule making) period so that should be taken into consideration.

  • Is an IT managed service provider considered part of the supply chain, and does it need to be CMMC compliant if they provide IT support to a private contractor? Or, is it only companies creating products purchased by the DoD contractor and used in the product, considered in the supply chain?
    • This question is a massive gap in the overall approach to supply chain cybersecurity across all critical infrastructure sectors. The requirements in NIST SP 800-171 apply to "covered contractor information systems" defined in DFARS clause 252.204-7012 as "an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information." Often MSP's do not represent covered contractor information systems, but they do represent tremendous risk and assessment exposure.
    • The DoD has not specified whether MSP's will be explicitly required to achieve certification. Within NIST SP 800-171 appendix E, the government assumes that companies have already coordinated with external service providers and are requiring them to implement the same security controls as the OSC. Obviously, this is a huge problem that remains unaddressed. Hopefully, it is covered in rule making, but everyone should submit comments to the rules for exactly these types of situations.

  • For those that will need CMMC level 3 assessments, how often will they need to be performed?
    • They will need to be repeated every 3 years.

  • C3PAOs insist that more than 1 Assessor needed and that a team of Assessors is necessary. Is this correct?
    • That is correct. The government has dictated 4 certified assessors needed for a CMMC 2.0 L2 assessment.

  • What would be an indicator of being required by an external assessor vs not being required of CMMC level 2?
    • At this point, we believe that if you have technical data on weapons systems/platforms or Research and Development, those would certainly be in scope for a C3PAO requirement.

Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

  • What responsibility is the government taking on controlling their sending of CUI/FCI to their primes and subs? Controlling it at the source seems like a good starting point.
    • Controlling the flow of CUI by controlling the origin of CUI is indeed the best way to limit the numerous costs and burdens that "follow" CUI due to security controls and other safeguarding requirements. The government has said that they are developing more in-depth training for contract personnel (contract officers and contract officer representatives) and program managers at requiring activities. How effective those efforts will be at stemming the flow of information remains to be seen. Much of the over-scoping and "over-flowing" of CUI into the DIB is a result of activities at the prime contractor level. Decisions by the primes regarding their own risk management via contract clause flow-down and the terms of private contracts between the prime and subcontractors are generally outside the reach of contract personnel on the government side. Certainly, better training will help, but it likely won't be a silver bullet.

  • How will contractors know what CUI requires an audit versus what they can self-attest?
    • The details of this process have not been released. DoD rule making as well as the upcoming FAR CUI rule (a separate rule making process) are expected to thoroughly cover this process.

  • What happens if programs can't answer what is CUI?
    • The government must start properly marking their CUI. It is a government-wide issue. However, that does not alleviate the Contractor's requirement to protect the data even if it isn't marked.

  • Under the assumption that CUI Specified requires greater protection above 800-171, will CMMC 2.0 L2 be CUI Basic, and would CUI Specified require CMMC 2.0 L3?
    • CUI Specified refers to requirements over-and-above the CUI Basic requirements in NIST SP 800-171. Typically, these additional requirements are not found in NIST Special Publications but are externally-defined parameters for the basic controls in NIST SP 800-171. For instance, the requirement to conduct incident reporting is a basic control, but the requirement to report incidents within 72 hours of discovery is a specification in DFARS 252.204-7012. NIST SP 800-172 will apply on the basis of program criticality rather than CUI specificity, based on what we currently understand.

  • Is this accurate? CMMC Level 2 may or may not need third-party certification since the 110 controls are still required. The types of CUI are needed to determine self-assessment of risk. Someone who is level 2  would get the cert to better ensure controls are met
    • Correct. For companies handling CUI, the controls in NIST SP 800-171 are the same.
    • The only distinction between the bifurcated levels is whether or not you will require an external assessment. Data criticality determinations are expected to be explained via rule making, although these decisions will likely be left up to contract personnel to a great degree.

  • When does "Critical National Security information" mean actual classified information, systems, and networks? Is there any chance that the additional assessment requirements would only be applied to classified systems and information?
    • Details on the distinction between data criticality and data classification have not been released. However, the basis for the CMMC conversation is Controlled Unclassified Information, which can be considered critical without being classified, by definition.

DFARS 70 Series (7012, 7019, 7020, 7021) and Interim Rule

  • If DoD takes the stance that all DoD contractors should have been compliant with NIST 800-171 controls by Dec. 2017, then CMMC seems to fall back to these controls, so what’s the big problem?
    • Yes, this will likely be the stance that DoD adopts since they have maintained that position since the final version of DFARS case 2013-D018 effective October of 2016.
    • In the DoD's eyes, there isn't a problem since they are retreating to existing requirements. For the DIB, this is a big problem if those requirements haven't been implemented. This leads to the conclusion that changes under CMMC 2.0 don't represent huge wins for those companies that haven't implemented NIST SP 800-171.

  • Cybersecurity tasks look to be present in DD254s in the CUI Addendum and are expected to be implemented regardless of the status of DFARS -7012/-7019/-7020 in the contract. Does this seem accurate?

Department of Justice (DoJ) and The False Claims Act (FCA)

Note: Summit 7 does not represent authorized legal counsel, and is in no way responsible for any legal advice given concerning the questions below. 

  • Could there be DoJ action under the False Claims Act investigation for a situation like SolarWinds? They could investigate and consume resources while they determine "mens rea", e.g. "knowingly" misrepresent security posture.
    • See video below

  • What's likely to be the outcome of a False Claims Act investigation? It feels like this could be similar to a speeding ticket. People will pay the fine but it wouldn't seem to change the substantial financial incentives NOT to do cybersecurity. In other words, changing behaviors via law enforcement, i.e. legislating morality, is pretty tough.
    • See video below

  • Is there a limitation as to what information a Prime can ask of a sub regarding NIST 800-171 compliance? Specifically SPRS submissions
    • See video below

  • How many False Claims Act (FCA) claims have been submitted and pursued?
    • You would need to check resources and reports generated by the Department of Justice. Much of the FCA discussion is the result of recent changes in DoJ's strategic intent via the Civil Cyber-Fraud Initiative.

  • With Level 1 now being self-assessments and the potential risks with FCA, do prime contractors have a responsibility to do more than just confirm the assertions have been submitted? Or will they be expected to do more?
    • Details about government expectations for prime contractor flow-down and verification may be covered during rule making.
    • Individual subcontractors and suppliers should always communicate with the upstream customers regarding specific expectations and obligations.

Answers to some of the questions above are covered in the video embedded below. 

Summit 7 Recommendations / Miscellaneous


  • Is it recommended that an RPO be brought in to validate the Level 1 "self-attestation"?
    • We would expect that many organizations will use a C3PAO to validate a self-assessment.
    • We would also expect that these third-party self-assessment validations will be significantly cheaper and faster than an official third-party assessment. This will provide the organization with some assurance that their self-assessment was valid and that they did not miss any major items. It will reduce the risk for the CEO that is signing the self-assessment.
  • Is an appropriate interpretation of the DoD placing "opportunities" to DIB's that decide to voluntarily get their CMMC certification, that they are not forcing organizations to get it but those who do could likely get "bonus points" towards RFP proposals in winning business?
    • There are a number of proposals that the DoD is considering for how to entice companies to get the third party assessment/certification prior to the final rules being completed. One of the proposals does include a security portion of an RFP scoring.

  • Are environments like GCC High for level 2 needed? Is there really any reason to make this type of move now?
    • The requirement for environments like GCC High are not driven by the controls in NIST SP 800-171 or by the requirement for external assessment and certification. Data sovereignty requirements and other specific obligations are outlined in DFARS 252.204-7012. If an OSC had reason for environments like GCC-H under CMMC 1.0, then they still have those requirements under CMMC 2.0

  • Are all encryption rules, internal and external, still in play?
      • Yes, the encryption requirements are still there.

  • How is everyone supposed to deal with the old end-of-life operating systems being the only ones that are FIPS validated? The latest FIPS validated cryptographic modules for Windows are for Windows 10 version 1809. This version is end of life. Same story for Windows Server, iOS and Android. Are people supposed to run these EOL operating systems just because their crypto modules have been validated despite being riddled with other known vulnerabilities that could compromise information security? Can the FIPS requirement either be removed from NIST 800-171, or FIPS validation for Microsoft, Apple, Android and Linux products be fast-tracked to be completed within a couple of weeks?
  • Should people be moving to meet the requirements for 2.0 now? Or finish 1.0 and then pair back to what is needed for 2.0?
    • You can move to 2.0 now. The items in 1.0 could still be considered best practices, but they are no longer required in 2.0.

    You can learn more about Summit 7's CMMC 2.0 Level 2 Solution set by clicking the button below.
    CMMC 2.0 Level 2 Solution

Subscribe Here!

Recent Posts

Posts by Topic

see all