Senior Consultant, Information Security Services
United StatesContact Robert
Since November 2021, the Cybersecurity Maturity Model Certification (CMMC) has been a hot topic among contactors, suppliers, and cybersecurity experts. The questions range from “What exactly is happening with CMMC” to “Does my organization need to worry about CMMC” along with many others.
In 2016, the Defense Federal Acquisition Regulation Supplement (DFARS) was updated. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In 2019, DFARS was updated again. This update included the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of Defense (DoD) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes
Also in 2019, the CMMC-Accreditation Body (CMMC-AB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. CMMC-AB released the first draft of CMMC 1.0 in that same year on the credentials required for independent assessors and how to conduct the assessments for DoD contractors.
In November 2021, the DoD paused CMMC 1.0 based on public comments and to evaluate and update the DFARS rules for the independent assessments with the release of CMMC 2.0. CMMC 2.0 covered several critical changes, including the removal of the CMMC maturity processes, alignment to the NIST SP 800-171 for the body of the assessment, and the reduction of CMMC levels from five to three. Lastly, the CMMC-AB was renamed Cyber-AB to reduce confusion between the CMMC requirements of the DoD and the Cyber-AB’s role as certifying organizations and auditors to conduct CMMC assessments.
Keep in mind that none of these events impact the existing requirement under DFARS 252.204-7012, requiring contractors and their sub-contractors handling CUI to ensure they are compliant with the 110 controls and 320 objective statements of the NIST SP 800-171.
- How will these assessments work and how long to implement? The DoD estimates there are tens of thousands of companies who will need to be assessed but currently there are under forty accredited assessing organizations.
- How will small businesses be able to afford meeting both the NIST SP 800-171 requirements and the third-party assessments and other facets of the certification process?
- Will contractors be ready for the CMMC assessments and certifications? A surprising number of contractors are not currently compliant with NIST 800-171 rev 2, so making the jump to CMMC will be a shift that will take some time.
- What can contractors do in the interim? Cyber-AB has agreed to allow C3PAOs to conduct NIST SP 800-171 assessments and issue a letter of conformance to support the contractor’s SPRS submission.
Metzger suggests contractors begin assessing their cybersecurity health as it exists now. Whether or not your focus is on a specific certification, cyber-attacks are a reality, so it is important to protect the data of your customers as well as your own. It is a good time to start working on your NIST 800-171 rev 2 compliance.
The world of cybersecurity and the associated certifications is complex and constantly evolving. The CMMC eventual launch and the new NIST SP 800-171r3, both expected in 2024, are such examples.
Smithers, a C3PAO candidate, will soon be able to offer you a letter of conformance to NIST 800-171r2, which will be updated to a CMMC certificate, when it is officially released (requires the client to be under a Smithers continuous assessment program with annual surveillance assessments). Smithers is ready to help navigate these requirements and address your organization specific questions.
If you have questions about your specific organization, please contact us today.