August 2023

NIST 800-171 Rev 3 Rev 2 is the current version we have all been using for a number of years. The draft of Rev 3 came out in May. The updated draft is due (and highly likely to show up) in late October. Expect to see the final version published late this year or early next. This is a major rewrite with significant new requirements. So as enforcement is rolling out on Rev 2, the goal line is moving with Rev 3. The goal line is moving in a different axis with the changes in Scope coming out in the new rule too. So not only more requirements, but more requirements applying to more stuff. Couple that “more requirements on more stuff” with the potential for 100% enforcement of all requirements or no contracts with the DoD. Fun times in cybersecurity compliance for the DIB. External Service Providers Part of this is the expansion of 171/CMMC requirements (in their entirety including certification!) to everything that provides security for CUI. Previously FedRAMP, per 7012, applied only to processing, handling, or storing CUI. Under the new regulation (and the new CMMC 2.1 documentation) now all security information must be likewise protected. I.e., it must be in a FedRAMP cloud or a FedRAMP certified tool or if not in the cloud, then it must be CMMC certified to the same level the Organization Seeking Certification is. This includes all Managed Service Providers or Managed Security Service Providers. Outsource your IT? Now they will have to be CMMC certified too. Now for those of us geeking out on this stuff (as I do) this is not a terrible surprise. The DoD has been indicating they were heading in this direction for some time. This language is already in the draft CMMC Assessment Process that was published last year. Many complained about it and the DoD and the Cyber AB were showered in feedback. Clearly, they have not changed their mind. So, if you outsource your IT, and need to be certified, your IT service provider will have to be certified also.

DOD, OMB expect September release of proposed CMMC rule. The Defense Department and Office of Management and Budget are planning to release the proposed Cybersecurity Maturity Model Certification (CMMC) rule in September. This rule aims to move the defense industry away from self-attestations for compliance with National Institute of Standards and Technology (NIST) guidelines and will require third-party assessors to audit contractors for compliance. The release of the proposed rule was delayed and is now expected in September. Once released, there will be a public comment period, and the Defense Department will collect and respond to comments, potentially leading to a final rule sometime in 2024. The CMMC rule has been eagerly anticipated by the industry, and some companies have already started preparing for it, while others have taken a more cautious approach. In the meantime, third-party assessors certified by Cyber AB have been conducting joint assessments with the Defense Industry Base Cybersecurity Assessment Center to validate compliance with NIST 800-171, which is expected to translate to CMMC Level 2 once the rule is finalized.