New! NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
Regardless of the industry, trade shows and conferences are great ways to find out what the hot topics are. Such is the case with CS2 (Cloud Security & Compliance Series). Hosted by Summit7, the two-day conference included many different speakers, several sessions, and a variety of topics. Ten key themes emerged from the show.
If you are a small business that has to use an outside vendor for your cybersecurity services, you need to make sure you have a shared responsibility matrix. This point was reiterated in many different sessions, especially because MSPs (Managed Service Providers) are often such important parts of a company’s CMMC journey. A shared responsibility matrix is a chart that outlines what you are responsible for, what your vendor is responsible for, and where you both will have parts to play. Whether you are working on scope, strengthening your cybersecurity, or anything in between, many speakers talked about how important it is to have these shared duties outlined before any work begins.
There were many questions and discussions about when companies will have to move to compliance with revision three of 800-171 instead of the current standard, revision two. CMMC 2.0 mentions revision two specifically, and DFARS 252.204-7012 simply says companies must comply with the current revision of the standard. The publication of NIST SP 800-171r3 will likely help clarify this situation.
Companies need to understand not only what CUI they are storing, processing, or disseminating, but they also need to truly understand their defense contracts. In some cases, contracts include the DFARS clause even though the contractor will never touch CUI. Be sure to talk to your contracting officer if you have any doubts or any questions.
DC3 and DCISE (the DOD Cyber Crime Center and the DOD DIB Collaborative Information Sharing Environment) were highlighted as resources contractors should and can rely on. Participation is voluntary, but the DC3 strives to create a collaborative environment for sharing thread information. It is for any contractor who stores or processes CDI (Covered Defense Information).
The False Claims Act came up often even though not many cases have been pursued by the Department of Justice. The main thing to remember is that where cybersecurity is concerned, the Civil Cyber Fraud Initiative incentivizes people in an organization to speak out and offers protection against wrongful termination. If someone brings a concern, the best idea is to listen and act on it appropriately and expediently.
Continuing concerns about timing were present through many presentations. One company that successfully completed a Joint Surveillance Assessment (an assessment with DIBCAC and a C3PAO) said they had difficulties scheduling an assessor 9-12 months ago. It will be increasingly hard to get an assessment scheduled with C3PAO companies once the rule is published and finalized. If you are interested in talking to us about an assessment, use this Calendly link to schedule a no-obligation meeting with us: https://calendly.com/robert-mcvay/30min
From Cyber AB Head Matt Travis to most other speakers at the show, there is an urgent need being expressed for more information about how CMMC 2.0’s verbiage about MSPs will impact the industry. Many managed service providers are staffed by under ten people and do not offer 24/7 surveillance. How will those companies be able to go through a CMMC certification process? Also, if a contractor is working with an MSP and the MSP does not pass, the contractor does not pass either. How will that work? There are already many companies and associations working on these answers.
FedRAMP definitions, expectations, and explanations were common topics throughout the show. The CMMC 2.0 proposed rule mentions FedRAMP and Cloud Service Providers often, and these topics also appear often in comments regarding the proposed rule. An additional topic was the memorandum released shortly before the end of 2023 which defined “FedRAMP equivalency.”
Small to mid-sized businesses, whether manufacturing contractors or MSPs, should be well on their way to preparing for their initial NIST 800-171 assessment. The potential C3PAO backlog is not the only motivator. One of the speakers who successfully completed a Joint Surveillance assessment talked about the achievement as a differentiator. Passing a NIST assessment and eventually earning a CMMC certification are accomplishments to be proud of and to promote.
What questions do you have concerning any of these topics? Feel free to contact us today.