By Jack Anderson
December 30, 2021
Analysis of impact of CMMC 2.0 We have been getting emails asking what CMMC 2.0 and the Department of Justice Civil-Cyber Fraud Initiative mean. New Rules: The good news is that CMMC 2.0 eliminates a number of expensive and complex requirements, such as the Maturity Model and reverts back to the NIST 800-171 Safeguards which are the core of the CH policies. New regulations will be written for CMMC 2.0 which is projected to take 9-24 months. In the interim no CMMC requirements will be attached to any DoD contracts. It also reverts to self-assessment instead of on-site, which dramatically reduces costs Each DoD contractor must still post their DoDAM score, and attest to having a documented POAM and SSP. An authorized company official must attest to the company’s compliance annually. Enforcement: The new sheriff in town is the Department of Justice and their mandate is the Civil-Cyber Fraud Initiative. They will be using the False Claims Act to punish DoD contractors who falsely attest to their compliance. Their strategy is to appeal to Whistleblowers who could receive a portion of the fines. The fines are based on treble damages. The SSP documents to back up the posting on the SPRS site have been specifically mentioned as a target for fraud charges. We will be posting quarterly SSP documents for all of our clients beginning in January 2022. As new requirements come on board we will keep you informed. If you have questions contact me at firstname.lastname@example.org .