News and Recommendations
WHAT’S NEW: NIST controls aren’t changing, but CMMC requirements might
DTS RECOMMENDS: We’re still seeing a lot of confusion among contractors about NIST 800-171, CMMC, and when companies need to be compliant.
- NIST 800-171 is a list of controls that departments and agencies are authorized to select from. It spells out 110 control requirements for safeguarding CUI. The requirements are finalized and have been for several years.
- The DOD requires all 110 controls, but other agencies, including the DOE, haven’t specified which ones they will require. That’s where CMMC can help.
- Scheduled to be finalized in the spring of 2023, the CMMC program will certify that contractors with CUI and DFARS 252.204-7012 are compliant with all 110 controls of NIST 800-171 and, therefore, that those companies also meet or exceed all other agencies’ requirements.
For any contractor with a contract containing CUI hoping to continue to work with the DOD in 2023 or beyond, complying with NIST 800-171 is not something that you may need to do – it’s a guarantee that you will. The sooner you get started, the sooner you can protect your data and people, and confidently approach CMMC assessments – in whatever form they take. For additional information or an assessment to help you get started, contact DTS.
DoD released a statement regarding updates to the CMMC model on November 4, 2021. DoD is calling this CMMC 2.0 and has stated it will not become effective until the rule making process for title 32 CFR and title 48 CFR are complete. Until that time, the Department is suspending all CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The current chatter is this will take anywhere from 9-24 months.
DTS RECOMMENDS: While this update is a change, it’s clear CMMC is not going away. On the surface, it appears the DoD is attempting to mitigate the potential loss of SMB DIB contractors by relaxing the initial implementation of CMMC. They may eventually reinstate the CMMC specific practices and maturity processes, as well as the certification requirement later.
Continue moving forward toward compliance with all controls with NIST SP 800-171 controls and all associated documentation including establishing maturity in the procedure-related controls for 800-171.
It’s critical for SSPs and POA&Ms to be accurate and to report cyber incidents in a timely manner if your contract(s) require self-attestation.
- The final CMMC Rule will be coming out sometime between April – July 2021
- Certified Assessor will not be available until Summer/Fall 2021. The Licensed Training Providers were just recently approved and are ramping up their training program. The first training programs are expected to be available in April 2021.
- DFARS Provisions 252.204-7019 & 252.204-7020 are only applicable to contractors required to implement the NIST SP 800-171 standards per DFARS Provision 252.204-7012.
DTS RECOMMENDS: Contractors should look in Section L of their contracts to see if it includes 7012. Provisions 7019 and 7020 are not retroactive on current contracts but will apply on contract options and recompetes.
- The CMMC Pilot Program (Year 1 CMMC Contracts) will include contracts from:
- Army, Navy, Air Force, Missile Defense Agency, Defense Logistics Agency
- The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is exploring opportunities to pursue CMMC pilots outside of the DoD to include: GSA, DHS, and possibly the Department of Interior