CMMC Update by Glenda R. Snodgrass for The Net Effect (February 18, 2025)

[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

February 18, 2025

L2 Self-Assessment: Don't get your hopes up

To be honest, I never thought it was going to be much of a thing anyway, when the only examples they ever gave was "boots and uniforms." Back in 2021, DoD was saying that any OSC that handles covered defense information ("CDI") would have to be certified, and a memo released last Friday has made it official. There are several interesting things in this memo, summarized below:

Self-assessment for L2 will still be an option for the first year of the phased roll-out.
After the first year, official certification will be required in the case of CDI, which includes CUI categories in the Defense Organizational Index Grouping, specifically:
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Privileged Safety Information
- Unclassified Controlled Nuclear Information - Defense
Any "non-FAR based grant or other legal agreement" is subject to CMMC
"In rare circumstances" waivers may be granted for official L2 and/or L3 certification, but (1) not for cleared defense contractors, (2) nor for "contracts or work statements requiring access to both unclassified and classified DoD information."

More about waivers. Don't get excited! There are no waivers for self-assessment and attestation at any level. Official certification assessment for L2 and/or L3 may be approved "in rare circumstances" but program managers are cautioned to "carefully weigh the risk of potential loss of CUI associated with mission critical capabilities before granting a waiver." Obtaining a waiver is a multi-step process requiring multiple approvals, and there is a quarterly reporting process required (presumably anyone requesting a lot of waivers will be questioned). "CMMC assessment waivers do not affect the underlying security requirements" so getting a waiver of official certification doesn't mean you aren't obligated to implement the requirements of L2 or L3 as indicated in the contract, only the third-party certification is being waived.

My gut feeling on waivers is that it's a response to the inevitable logjam of achieving official certification that will occur in the first few years of the CMMC program. DoD estimates 517 contractors will require official L2 certification the first year, 2599 the second and 8666 the third. The CMMC ecosystem will have to grow significantly to handle that many assessments.

Will it, though? Will there actually be that many contractors ready to pass an official assessment? That's a big question mark. Data on JSVAs provided in a Cyber AB town hall meeting last year indicated that only about 1/3 of orgs that signed up for JSVA actually passed. The other 2/3 was split between failure and backed out because they saw failure coming. Case in point: I was engaged to serve on a JSVA assessment team last October, but it was cancelled Friday afternoon before the scheduled start on Monday, because the OSC was not ready and would have failed.

So, my question for you today: Are you ready? Call if you need help! Or sign up for my virtual CMMC workshops to learn more about what you need to do.