In January 2020, the first version of the CMMC framework was released by the Department of Defense (DoD) in response to the rise in cyber-attacks. By achieving certification, government agencies can be assured that their contractors safely store and process sensitive information.
Pushback from contractors about the cost and resource required for its implementation prompted the DoD to carry out an internal review under the Biden administration. The result being that a new CMMC model, known as CMMC 2.0, was announced in November 2021.
CMMC 2.0 aims to simplify the framework and reduce barriers to compliance. Under the new CMMC 2.0, contractors handling Controlled Unclassified Information (CUI) will need to be certified in meeting one of three levels of requirements rather than the original five levels.
It will also provide more clarity on policy, contracting and regulatory requirements and reduce the number of organizations required to receive third party assessments.
The Pentagon has indicated that organizations that handle non-prioritized CUI may only be required to perform a self-assessment to affirm that they meet NIST 800-171. Those handling the most advanced levels of CUI could require assessment from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
While exercises to define the levels of CUI and ensure they are clearly delineated are currently underway at the Pentagon, non-prioritized CUI is expected to be defined as information that would cause limited issues if released. Whereas, prioritized CUI could give an advantage to adversaries or cause a loss of capability if released.
Each DoD contract will indicate what type of CUI is involved, giving organizations the opportunity to plan their compliance assessment measures accordingly.
With the rulemaking process for the Code of Federal Regulations in progress, version 2.0 is not expected to be finalized until next year. In March 2023 the US Office of Management and Budget (OMB) will make public comment on the updated rule and the DoD will begin implementing CMMC in contracts from May 2023.
The right time to start the CMMC compliance process is now, if you haven’t already. This will put you in good stead to compete for DoD contracts once the new rules have been implemented.
Data collected by the Defense Contract Management Agency highlights a current lack of preparedness. Over the last few years 300 assessments have been carried out by the Defense Industrial Base Cybersecurity Assessment Center, and only 25 percent of the assessed organizations were compliant for the 110 requirements in NIST 800-171.
An early adopter program for CMMC is being planned by the DMCA. This will include on-site assessments and give defense organizations the opportunity to work for third-party assessors before CMMC 2.0 is finalized.
The Pentagon is encouraging contractors to strengthen their cybersecurity while the rulemaking process continues. The DoD have commented that they are looking at ways to incentivize organizations to begin carrying out assessments before it is contractually required.
We recommend that organizations begin with NIST 800-171 compliance, which is a requirement for CMMC level 2. So, establishing a baseline against these requirements will highlight any issues that need to be prioritized for remediation, helping improve overall security of the network, and contributing towards the effort to meet CMMC compliance.
Titania Nipper can accurately and automatically determine compliance with NIST SP 800-171 (Rev 2) controls related to network devices. Our virtual modeling reduces false positives and identifies exact fixes to help you stay secure and compliant. Visit the NIST SP 800-171 solution page to find out more or request a trial today.
Matt Malarkey