.jpg?ext=.jpg)
Nine Common Topics in CMMC 2.0 Public Comments
Over the next six months, the Department of Defense will be evaluating comments on CMMC 2.0. Received over the sixty-day public comment period, the 368 comments reflect a lot of different perspectives on the proposed rule. All of the comments are available to review at https://www.regulations.gov/docket/DOD-2023-OS-0063/comments?sortBy=postedDate. We felt it would be beneficial to share some of the topics that were on the minds of commenters to see if any resonate with you. Let us know!
1. ESPs, MSPs, and CSPs
Managed Service Providers, External Service Providers, and Cloud Service Providers will carry a lot of the responsibility in helping businesses achieve NIST compliance and CMMC certification. A lot of the comments were from businesses of these types, asking questions ranging from cost and technical details to specific content questions.
2. CUI
CUI, or Controlled Unclassified Information, continues to draw questions from business owners. The fact that CUI is defined by the National Archives and not by the Department of Defense adds another layer of understanding that companies need. Questions about CUI range from how exactly to define CUI to how you know you have CUI. There were also questions about “flow down,” or how CUI should pass from a prime contractor to its chain of sub-contractors and suppliers.
3. Security Protection Data (SPD)
CMMC 2.0 introduces a new phrase, Security Protection Data. There were questions expressing a desire for more specifics about this phrase. Depending on how the Department of Defense defines SPD, the definition of CUI could also expand in the coming years.
4. Small Business Concerns
Costs associated with CMMC have been a point of discussion since CMMC 1.0 launched in 2021. Many small businesses submitted comments regarding cost, including asking for ways the DoD could help ease financial commitments. Along with contractors, ESPs and MSPs asked questions along these lines as they may need CMMC certifications as well in the next couple of years.
5. NIST SP 800-171r2 versus NIST SP 80-171r3
Ever since NIST started working on NIST 800-171r3, there have been questions about whether the new CMMC rule would point to revision two, which exists now, or revision three, which is expected to reach finalization around the second quarter of 2024. As of now, CMMC 2.0 specifically names revision two, so many questions revolve around how the rule will change once the newer revision of 800-171 is published.
6. POAMS (Plans of Action and Milestones)
POAMS are chances for organizations to fix aspects of their business that resulted in not meeting a control. CMMC 2.0 introduces a lot of detail about POAMS, ranging from what kinds of controls can be POAMed, what levels of CMMC compliance allow for POAMs, and more. The scoring system of CMMC can seem intimidating for business owners who have not studied it before, and POAMs represent a big part of that scoring system.
7. Questions About Each of the Three CMMC Levels
Each level of CMMC compliance (there are now three) garnered several specific questions. Many commenters wanted to clarify differences between level two and level three.
8. DIBCAC High Assessments
Even though CMMC 2.0 is not final yet, some contractors have already gone through a DIBCAC High Assessment. There are quite a few questions about timelines for companies that performed well in these assessments and when the recertification three-year “clock” will officially start. Some companies were assessed as far back as 2022. If the clock started at that time, they will need to recertify when CMMC 2.0 is still quite new.
9. FedRAMP
Finally, there are several comments in regard to FedRAMP. The Department of Defense released a memorandum shortly before the public comment period ended regarding the often discussed “FedRAMP Moderate Equivalency” issue. The memo, which can be read at https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf, states that CSPs (Cloud Service Providers) must achieve 100 percent compliance with FedRAMP standards. Many commenters used this platform as an opportunity to ask questions about FedRAMP equivalency, who this actually impacts, and more.
Now It's Your Turn
There are many comments and questions in regard to CMMC 2.0, and this is just a small percentage. We left our topics at nine because we want you to fill in the tenth spot. What is your question about CMMC? What have we not covered here that you would like to learn more about? Let us know by contacting us today.
Our team will continue to monitor Department of Defense responses and will share additional updates with you throughout this year.