October 2024 CyberAB Town Hall Recap: CMMC 2.0 Updates You Can't Miss!

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Austin and I'm Brooke from Justice IT Consulting. We're here to help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns, uh getting companies fast tracked to compliance. But today we're here to give you all the secrets for free. So if you want to tackle it yourself, you can. Let's dive into today's episode and keep your business on track. So we have this little thing called CMMC Cyber A B Town Halls or something.

Yes, it's a it's just the Cyber A B town hall. Cyber A B. They changed it from the CMMC A B. So just the Cyber A B, but they do have town halls. Okay.

How often is that?

They have those town halls once a month. It's really just an update on the whole process, uh, what all any news, uh, new things that will come up, things that have changed. And there were a few things that changed or or came up and uh some some news uh to let everybody know about in this last time.

Okay. Very cool. Well, um that's we're here today to kind of break it down and we'll try and do this monthly for you guys so that way uh we'll we'll sit through the town halls for you and you can come hear our perspective. So cool. Anything you want you want to share further on uh the town halls and and what they get into, or do you just want to get into what happened on this one?

Uh uh really I think um probably a lot of people know what the cyber A B is, but there's probably a lot of people that don't uh understand what in the world the cyber A B is and how they fit. Uh so the Cyber A B, the DOD wanted an organization, a separate organization to run the accreditation process and and uh to set up all the CMMC structure and everything. And and uh so that's why that's where the cyber A B came from. And uh they're authorized by the DOD to do all that, and they're the only one. So uh that's what the Cyber A B does. They take care of uh all the certifications, uh the assessment process, and you know, all you know, all that kind of fun stuff.

Um well you said that there might have been an update with the 48 CFR proposed rule. Can you tell us about that?

For the uh 48 CFR rule, there's not just a a whole lot that was uh you know no big news or anything. Uh just that uh the uh the proposed 48 CFR that was released uh August 15th, uh the uh the comment period is open till October 15th, and today is the third. I don't know if I'm supposed to tell everybody when we're recording this, but it's the third today. So uh we're recording this on third. It's open for a few more days. So if there's any comments uh that you want to enter on that, uh make sure you go do it. The more comments, the better. Um but that's open to the 15th. Um your guess is as good as mine uh on when that when they'll release a final rule, but if they follow the same process they've they've followed this whole time, we're looking still at uh late 2025 uh for the uh final rule to go in place. We're talking Q3, most likely Q4. They could rush it. Don't really know. But uh anyway, so it's looking probably like uh and the 48 CFR is what puts in place CMMC on contracts, on new contracts. So when this 48 CFR goes final and goes into effect, at that point new contracts will require CMMC 2.0.

So uh there's also a change, I guess, or update to the 32 CFR?

Yeah, so the the news for this 32 CFR is it's a little more significant news, is it it passed it's out of the OIRA review, Office of Information and Regulatory, gosh, whatever the last one is. Anyway, but uh they review all this. So it's it's it's passed out of that, out of that group. And so it will the final rule is will be ready to be introduced anytime now. And kind of everybody expects it to be introduced in October, which this is October, so it'll be introduced relatively soon. The 32 CFR, there were with that rule, there were several things that really impacted companies like us and and some other things. So that one is significant. And so when it goes uh we're looking forward to seeing what the final rule actually is, so we'll know how to handle a few things. What has to change, you know, all that kind of fun stuff. So but it's it should be coming out anytime now. And then when it comes out, there's sixty days before it goes into effect, and then also I thought it was the same time, but uh the congressional review is sixty days also. That'll likely come after, because this is all during the holidays, I believe. Anyway, uh it kind of depends on exactly when it's released and all that kind of fun stuff, but it this uh Congress has uh sixty days uh to review it as well.

And there is an update to the uh CMMC assessment process itself, I hear there is.

So there's a there's a document, it's a huge, gigantic long document called the CMMC Assessment Process. Uh right now they have uh version one out, and I don't know that may be a draft, that may be specified as a as a draft, but it's uh the version one is out right now. When you go get certified, you learn on the the latest version they have, which should be close to what this uh cap 2.0 is, and we'll just call it everybody calls it the CAP. So the CMMC assessment process is CAP. So version 2.0 will be coming out, but it's not going to come out until after the final rule is published because they need to know if there's gonna be any change any more changes to that CAP. So the CAP process is what all assessors have to follow during the assessment, during the certification assessment process. So if if an assessor comes in to do one of those certification assessments, they will be following that to the letter. Version 2.0, version 1.0 was very prescriptive, very strict, everything else, and so what they're trying to do is is make it a little less prescriptive, uh, more as a guide and and all that. But they're I tell what I'll tell you is if you go read uh the 2.0 in depth first, or what's what is what will likely be the 2.0, if you read that version first, and then look you know, you're thinking, well, how can uh how can this be less prescriptive than the last one? But but it is. So they're trying to make it more usable, more understandable, all that kind of fun stuff. So but I will tell you it is a is a very detailed process, and the whole first section, before you even get into actually doing the assessment, the the whole first section is about between the C three PAO, the companies that hire the assessors to do the assessment, and the company seeking the certification, the OSC organization seeking certification. So it's between the C through PAO and the OSC, and they exchange information and and a few high-level documents and review them and all that kind of fun stuff. And is they've the C through PAO has a lot of hours into this already before they can even go, okay, here, here's the contract, and this is what we can do. This is how it'll go. So they've got a lot of hours into it before they even can uh get paid on anything, basically. So and and I just say that for everybody to kind of understand that this if if that section has that, you know, is that involved, the rest of it is even more involved. So there's a lot of hours that go into it and and right or wrong, good or bad, whatever, but that's that's why the assessments are are, you know, not a couple thousand dollars, but more like twenty or thirty thousand dollars and up. So anyway, but yes, cap two point zero is coming out. Okay. Short story.

Okay. Well, only thing I was thinking this whole time was I guess it brings a whole no new meaning to putting your assessor's cap on, you know. So 2.0 hats or something. That just says cap two point zero. Very good. That'd be a hit with all the nerds. I think there were some jokes about that at the last conference. Oh, was there? So I'm behind the behind the ball. Well, I tried. So you also said that there might be some updates on how they're approaching CCPs and CCAs?

Uh yes. And really just it's the background check. The uh three background investigation is what it is. Before what everybody understood, and this is actually they they reiterated and said this is how it's gonna happen how it's gonna be. Uh the last town hall, uh I really didn't necessarily get that, but uh I I think they uh may have gone that direction. But tier three background checks, uh all all CCPs and CCAs have to go through a tier three background check. Uh I had to go through one or I'll I'm having to go through one. Um so and and you have to get that after when CMMC comes out, you'll have to get that before you'll be certified uh CMMC certified professional or CMMC certified assessor. So it'll that'll come before the certification. But up to now, you've gotten the certification. The only reason you had to have that certification, or excuse me, the only reason you had to have that tier three background check was if you wanted to participate in a certification assessment. I didn't get the certification or I didn't get the CCP to do certification assessments. I got it so I will understand how those work and uh and have all that information to help our clients better. Uh so I really didn't care about the tier three uh background check. But now what they're saying is uh not only people have to have them in the future before they'll before they can get certified, but all those people that certified before, if you don't get it, yours is your uh certification is gonna be suspended. So uh by the time and this has to happen by the time uh the 32 CFR CFR rule goes final. Okay. Uh so any any CCPs or CCAs like me uh that didn't bother doing the tier three background check uh are having to go through it now. And they're from what I understand, there are quite a few. And so now they're of course everybody's scrambling and just did just like me and went, oh crap, I gotta go on and and uh get this done. And uh so now they've probably got a backlog of uh of those to do. So and it depends on what's going on, you know, the the department that does all the background checks, uh sometimes they get backed up and then, you know, sometimes they've they're got a normal wait list of a couple of months. But point is, uh whenever you uh whenever all this goes final and and you start to go get your certification assessment, uh all the CCPs and CCAs that come and there will be multiple, there's never just one. All the CCPs and CCAs that come to work on your assessment have to have to have that background check before they can uh partake on that certification assessment. Okay. So you just want to make sure of that.

Right. No, it makes sense. And I guess if uh if you see Brooke get replaced on the show, you know why. That's right. We'll we'll learn soon if you you pass that check.

Right. And uh uh also just so you know, uh I can't imagine a a C through pay uh uh C three PAO actually sending uh assessors and uh out that are that don't have all the credentials they're supposed to have. So I don't think that'll really be a problem, but it's a good thing to check. You can always go on the the Cyber A B marketplace. Cyber A B is just CyberAB.org. Um and you can find in fact you can look me up, Brick Justice, and you can see that I have an RP, our organization is an RPO, uh, and you can see that I have a CCP. So when this goes when the 32 CFR goes final, uh if my background check is not done yet, uh it'll suspend my CCP and I won't show up as a CCP anymore. Uh okay. But whenever it gets completed, they'll just reverse that and it'll be unsuspended.

Right. So it'll be an easy way for uh listeners to go check their um professionals to see if they're legit.

Yeah, the easy way is just go to cyberab.org, go to the marketplace and and look for those people.

Awesome. That's good news. Always like easy things. So uh I think you said that was most of the changes that came from the town hall. What would you say your biggest takeaway collectively with all this information is?

Really the biggest thing that our clients and potential clients want to know, or people that may be listening to this podcast, is that it's coming. I mean it's it's on the way. There's no more yeah, it might come, yeah, it might change, yeah, it might they might h completely change the whole program. It ain't changing, it ain't gonna do what uh that what happened with CMMC 1.0 to 2.0, you know, the whole big change and everything, th that's not gonna happen. This is this is coming. Uh it's pretty dialed in. Uh so you gotta get ready. What I can tell you is the whole process, uh if you haven't started yet, for instance, the process to go from zero to now you're ready for your certification uh certification assessment to begin, that whole process is 12 to 18 months. If everything goes well, and that's if uh if you and the your provider who's helping you get ready, or maybe you're just the one getting ready, uh, you know, can uh get everybody to function and meet on schedule and and uh all the things to happen, all the solutions go in place and you have some money to spend to make these things happen, you know, uh that's in a good scenario, 12 to 18 months. Uh and then your certification, I mean I uh you know, depending on the same thing, you know, p depending on people's schedules and what all happens. You know, you're talking a couple of months, uh a month at least, you know, but probably a couple months uh to go through that. I and I don't really know, that's a kind of a shot in the dark, but um you know, so the the point is this process uh is not quick, is not easy, is not simple. So uh don't wait until you have to have it to get started. You you should get started as soon as you can.

I think that's the the theme of the show is don't wait. Yeah, it is. We say that a lot, don't we?

We do. We we say that quite a bit, and it's just and it's it's because of all the things I just said. It's it's not easy, quick, or simple. So Yeah.

Yeah, no, it makes sense. So uh well cool. Is there anything else you want to add?

No, uh there's not anything else uh I can think of to add. Uh we'll stay on top of these uh town halls and try to give you a more digestible version of it so you don't have to go listen to the the whole thing, the whole hour-long uh discussion and everything else. Uh so hope this helped out.

Yeah, absolutely. Yeah, so check back. We'll be back again next week. Um we've got uh the CMMC conference coming up. We'll do we'll try and do a show from the conference, kind of tell you what we're seeing there. If you want to save the airfare, we're gonna have a conversation with an assessor coming up soon here in the next couple weeks. And uh we're also gonna start doing a little series on how small businesses or medium-sized businesses might approach um the controls. Uh if if you know they're working with a limited budget, and we're just gonna kinda give away the secrets on how to achieve those controls. And and uh I know a lot of people come to us wondering how and the heck do I score 110 on the SPRS? That's at least where they're starting. You know, they're not concerned about get compliant yet. Uh and so hopefully that'll help answer that. So Absolutely. Awesome. So check back. Thank you guys, we'll see you next week.