DoD Releases CMMC Model v1.02
Today, the Department of Defense ("DoD") released Version 1.02 of its Cybersecurity Maturity Model Certification ("CMMC"), dated March 18, 2020. According to the CMMC Errata, all fifteen changes were termed "Administrative" changes (as opposed to "Substantive" or "Critical" changes). Some of the Administrative changes include, for example:
In practice AT.4.059, the references to NIST SP 800-53 Rev 4 AT-2(3), AT-2(4), AT-2(6), AT-2(7) were removed.
In practice CM.2.066, references to NIST CSF v1.1 PR.IP-3 and NIST SP 800-53 Rev 4 CM-4 were added.
The header Personnel Security (PS) was corrected to Physical Protection (PE).
In the last bullet of the CMMC Clarification Example, the term HTPS was corrected to HTTPS such that it reads: HTTP and HTTPS on port 443.
As many government contractors are aware, DoD intends on including the CMMC as a "go/no-go" threshold in requests for proposals ("RFP") beginning this fall with fifteen pathfinder contracts. That is, all DoD contractors––large and small, primes and subcontractors––will need to obtain a CMMC third-party certification to be eligible for defense contracts.
Notably, given that the novel coronavirus (COVID-19) pandemic is impacting the way Federal agencies and private entities conduct business, the timing of DoD's rollout could change. Be sure to follow us (and GovConJudicata) on Twitter and LinkedIn for updates.
For background on the CMMC, check out the GovConJudicata Podcast's Introduction to CMMC.
You can listen to the podcast in a number of places, including:
You can also listen here:
. . .