CMMC 2.0: Key Takeaways and a Call for Rational Calm

Yesterday’s “CMMC 2.0” announcement — forced early, due to someone publishing the DoD’s advisory too soon — has caused a lot of chaos. Folks need to let the dust settle, and grab a few takeaways.

1.) Understand that No One Understands

The CMMC 2.0 is still being revealed, unpeeled, and unboxed. No one fully understands it yet. Anyone saying otherwise is lying. Consume “analysis” postings and reports with caution.

If someone is presenting themselves as an expert, they are lying.

2.) Remember the CIO

There is one more seismic shift coming: the transition of CMMC from management by OUSD A&S to the DoD Office of the CIO. This will negate the contract between OUSD A&S and the CMMC-AB, and will push an entirely new rulemaking effort in place. Anything being said by the OUSD office right now is “lame duck” and will not reflect the true, final form of CMMC. This includes their FAQ page and yesterday’s content.

CMMC will see another big change (call it 3.0?) after CIO takes over.

3.) Listen to All Sides 

Tens of millions of dollars have been burned up by companies responding to press releases, empty threats, and false marketing. Class action suits are likely. And yet, much of this could have been avoided.

Consistently, the critics of CMMC have been proven right, over and over:

• We warned people that CMMC was on hold pending significant changes.
• We warned people that the CMMC model was undergoing a complete revision.
• We warned people that the CMMC-AB auditor pool requirements were unsustainable.
• We warned people that marrying an ISO-style conformity assessment approach with a CMMI-style maturity model appraisal method wouldn’t work.
• We warned people that the government needed to improve its labeling of CUI before anything could happen.
• We warned people the CMMC-AB credentials were worthless.
• We warned people that CMMC costs to the DIB were prohibitive

And we provided solutions. White papers were published, videos were posted, articles written, consulting provided to both DoD and CMMC-AB. We weren’t just griping.

But critics have been starved of any oxygen by press releases, a deeply conflicted program head, CMMC-AB falsehoods, and an aggressive consultant class that was invented overnight, and is loyal to their masters. These folks, in contrast, have been proven wrong time and time again:

• They insisted CMMC was on track, and denied it was on hold
• They insisted CMMC was mandatory, the “law of the land”
• They insisted the CMMC model was finished
• They insisted the CMMC-AB training materials were complete, and valid.
• They insisted the DIB could — and should — pay whatever costs required.
• They insisted anyone who disagreed with them was a liar, a troll, or a “malicious influencer.”

But look at the track record: the consultant class cannot be trusted, since they only have their financial interests in mind.

Instead, you must get a balance of information. Listen to critics, understand all sides, and absorb objective information. Question the motives of everyone you listen to. Be skeptical.

4.) Don’t Panic, and Don’t Make Things Worse.

The CMMC rollout has been a masterclass in two things: cult behavior and a psychological condition known as “irrational escalation of commitment.” The latter (also called “sunk cost fallacy“) manifests when someone has spent so much money and effort on a thing, when that thing is proven to have been wasteful, they double-down and continue to commit to it anyway. These people find they are unable to recognize their losses, because acknowledging they have made a mistake is emotionally worse than going bankrupt.

Instead, stay calm and stop spending money on CMMC. Don’t buy courses, don’t pay for seminars, and don’t invest in CMMC 2.0.

The only true requirements right now are NIST 800-171, and only if you handle CUI. You should be working on complying with that. Do not let CMMC confuse you, or take you away from those efforts. Don’t conflate CMMC with the NIST controls, either. They are not the same thing. CMMC may be based on NIST, but it will only complicate matters. Go to the source material — the NIST documents themselves — and work from that.

Overall, CMMC 2.0 is a step in the right direction.. but it’s not the last step.