CMMC 2.0 Analysis - Changes

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

november everyone if you've been keeping up with the recent developments of cmmc and judging by social media you have you know that cmmc 2.0 was announced the outcomes resulting from this announcement sent a massive shockwave throughout the entire government contracting community to date there's been a lot of speculation on what this means and more importantly what it does not mean so let's start with what we know to be factual point one the cmc model transitioned from five levels to now only three point two those government contractors that were previously preparing for the old cmmc 1.0 level one assessment will no longer need to pay for outside assessors to certify you this will revert back to the formal self-attestation model however the head of each company will have to attest annually in writing with web inc that they are in conformance with cmmc 2.0 level 1. my belief is that this form will also have fine print pertaining to dfar's clauses old and upcoming that pertain to having to conform with nist 800-171 but we'll come back to that in just a minute the formal level prime sorry point three the form of level three is now known as level two and it's a hybrid model for those government contractors that will have to be assessed for access to controlled unclassified information of those that will be required for being independently certified you will no longer have to demonstrate proof of policies procedures or resourcing guidance point four cmmc 2.0 will be subject to a final ruling just like cmmc 1.0 and this could take anywhere from a year to a year and a half to finally execute 0.5 a number of organizations desiring to become certified third party assessing organizations c3pa is has signaled that they may be pulling out the ecosystem point six the number of individuals desiring to work for those c-3pos as assessors are also signaling that they may be pulling out as well 0.7 the original pilot program has been suspended until further notice this will directly impact the cmmc ecosystem because there will not be enough assessors to do the work once everything is fully ratified 0.8 and lastly in october ms lisa monaco deputy attorney general publicly announced the launch of the civil cyber fraud division and went on record to state that government contractors that misrepresent their cyber defense capabilities will be prosecuted under a false claims act coincidence maybe maybe not remember what i said earlier about 800 171 this is something you should pay close attention to especially if you are the one signing off on the attestation of conformance a false claims act is not limited to civil it also empowers the government to see criminal sanctions against the individual or individuals that signed off now let's delve into what's being speculated point one conforming with the new level one for cmmc 2.0 will not satisfy the defar's requirements under the pre-existing 7012 clause while correct neither did the original cmmc version 1 for level 1. point 2 organizations that attempt to complete their spur scores without examining appendix e and 89171 will have significant consequences well what is appendix e appendix e focuses on four tailoring objectives one of which is for non-federal organizations or nfos and there's a number of controls added that are presumed by nist that commercial enterprises already do unfortunately when this came out with 800 171 several years ago they grossly underestimated what corporate americana does for protecting their cyber interests as a result you potentially have this hidden gotcha built in but in my professional opinion would be very hard to successfully prosecute against you if you didn't adopt appendix e now should you adopt these actions as described in dependency absolutely do we believe that government contractors at whole will adopt no we do not i liken this to special publication 853 version 4. if you're not familiar with this document it's pretty much the gold standard on how to implement a robust cyber risk management program however in version 4 it was specific to federal systems and it had an appendix that included privacy controls that were not measured against when federal systems underwent their own authorizations to operate what ultimately happened is that these controls that were previously in the appendix were moved into the body of what is now revision 5 and is formally ratified that now includes privacy and supply chain control mechanisms and is no longer limited to federal systems i envision that there is a possibility that the next version of 800-171 could adopt a similar method taking what was an appendix e and putting in the body if so then about 60 controls that you previously failed to adopt are now a formal requirement for being measured against in spurs and potentially other attack stations while sanwei is aware of numerous companies and subject matter experts conveying a desire to no longer support certification and accreditation activities on behalf of cmmc or the dod soundwave remains committed to helping our clients prepare for the new cmmc 2.0 and at which time that we are fully authorized as a c3pao be ready to support you as needed when needed on behalf of southwest consulting i'm carter schoenberg thank you [Music]

Info

Channel: Soundway Consulting

Views: 88

Rating: undefined out of 5

Keywords:

Id: lBtZs_mjNzg

Channel Id: undefined

Length: 5min 32sec (332 seconds)

Published: Tue Nov 16 2021