NIST 800-171 Rev 3
Rev 2 is the current version we have all been using for a number of years. The draft of Rev 3 came out in May. The updated draft is due (and highly likely to show up) in late October. Expect to see the final version published late this year or early next. This is a major rewrite with significant new requirements. So as enforcement is rolling out on Rev 2, the goal line is moving with Rev 3. The goal line is moving in a different axis with the changes in Scope coming out in the new rule too. So not only more requirements, but more requirements applying to more stuff. Couple that “more requirements on more stuff” with the potential for 100% enforcement of all requirements or no contracts with the DoD. Fun times in cybersecurity compliance for the DIB.
External Service Providers
Part of this is the expansion of 171/CMMC requirements (in their entirety including certification!) to everything that provides security for CUI. Previously FedRAMP, per 7012, applied only to processing, handling, or storing CUI. Under the new regulation (and the new CMMC 2.1 documentation) now all security information must be likewise protected. I.e., it must be in a FedRAMP cloud or a FedRAMP certified tool or if not in the cloud, then it must be CMMC certified to the same level the Organization Seeking Certification is. This includes all Managed Service Providers or Managed Security Service Providers. Outsource your IT? Now they will have to be CMMC certified too.
Now for those of us geeking out on this stuff (as I do) this is not a terrible surprise. The DoD has been indicating they were heading in this direction for some time. This language is already in the draft CMMC Assessment Process that was published last year. Many complained about it and the DoD and the Cyber AB were showered in feedback. Clearly, they have not changed their mind. So, if you outsource your IT, and need to be certified, your IT service provider will have to be certified also.