News and Recommendations

WHAT’S NEW: NIST controls aren’t changing, but CMMC requirements might

DTS RECOMMENDS: We’re still seeing a lot of confusion among contractors about NIST 800-171, CMMC, and when companies need to be compliant.

  • NIST 800-171 is a list of controls that departments and agencies are authorized to select from. It spells out 110 control requirements for safeguarding CUI. The requirements are finalized and have been for several years.
  • The DOD requires all 110 controls, but other agencies, including the DOE, haven’t specified which ones they will require. That’s where CMMC can help.
  • Scheduled to be finalized in the spring of 2023, the CMMC program will certify that contractors with CUI and DFARS 252.204-7012 are compliant with all 110 controls of NIST 800-171 and, therefore, that those companies also meet or exceed all other agencies’ requirements.

For any contractor with a contract containing CUI hoping to continue to work with the DOD in 2023 or beyond, complying with NIST 800-171 is not something that you may need to do – it’s a guarantee that you will. The sooner you get started, the sooner you can protect your data and people, and confidently approach CMMC assessments – in whatever form they take. For additional information or an assessment to help you get started, contact DTS.

DoD released a statement regarding updates to the CMMC model on November 4, 2021. DoD is calling this CMMC 2.0 and has stated it will not become effective until the rule making process for title 32 CFR and title 48 CFR are complete. Until that time, the Department is suspending all CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The current chatter is this will take anywhere from 9-24 months.

DTS RECOMMENDS: While this update is a change, it’s clear CMMC is not going away. On the surface, it appears the DoD is attempting to mitigate the potential loss of SMB DIB contractors by relaxing the initial implementation of CMMC. They may eventually reinstate the CMMC specific practices and maturity processes, as well as the certification requirement later.

Continue moving forward toward compliance with all controls with NIST SP 800-171 controls and all associated documentation including establishing maturity in the procedure-related controls for 800-171.

It’s critical for SSPs and POA&Ms to be accurate and to report cyber incidents in a timely manner if your contract(s) require self-attestation.

  • The final CMMC Rule will be coming out sometime between April – July 2021
  • Certified Assessor will not be available until Summer/Fall 2021. The Licensed Training Providers were just recently approved and are ramping up their training program. The first training programs are expected to be available in April 2021.
DTS RECOMMENDS: If you haven’t begun preparing for your CMMC assessment in earnest, you risk missing key deadlines for new contracts. Contractors needing a CMMC certification for a pilot program award in FY2021 will be eligible for an assessment from a Provisional Assessor with proper documentation provided to the CMMC-AB.
  • DFARS Provisions 252.204-7019 & 252.204-7020 are only applicable to contractors required to implement the NIST SP 800-171 standards per DFARS Provision 252.204-7012.

DTS RECOMMENDS: Contractors should look in Section L of their contracts to see if it includes 7012. Provisions 7019 and 7020 are not retroactive on current contracts but will apply on contract options and recompetes.

  • The CMMC Pilot Program (Year 1 CMMC Contracts) will include contracts from:
  • Army, Navy, Air Force, Missile Defense Agency, Defense Logistics Agency
  • The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is exploring opportunities to pursue CMMC pilots outside of the DoD to include: GSA, DHS, and possibly the Department of Interior
DTS RECOMMENDS: CMMC is still a DoD program but they are “welcoming participation” from other agencies. This news makes it even more of an imperative for contractors to have a long-term cybersecurity strategy in place – AND to forecast and budget for continuous upgrades and training to mature their practices. Until October 1, 2025, CMMC requirements will only be included in new acquisitions with the approval of OUSD(A&S)/OCISO(A&S).

A final tip…

When searching for Cyber Security Consultants and C3PAOs, ensure that you are selecting yours from the CMMC-AB Marketplace. There are many “poser” marketplaces out there, especially for C3PAOs, and contractor companies are not getting what they’re paying for. View all of the latest CMMC News

Share this Article