With international tensions brewing and technologies growing fast, America’s cybersecurity matters more than ever. But the wheels of government aren’t always the fastest turning. The Department of Defense (DoD) has delayed the rollout of its new cybersecurity requirement for contractors, CMMC v2.0 (Cybersecurity Maturity Model Certification).
If you contract or sub-contract with the Department of Defense (or if you plan to in the future), these changes will affect you. You probably have questions: Just how long will this delay last? And more importantly, what should I be doing right now?
Read on to learn more about the future of CMMC—and the cybersecurity responsibilities you already face today.
When Will CMMC v2.0 Finally Roll Out?
The requirements of CMMC have loomed over DoD contractors since the model was first announced in 2019. But since then, the standard has faced numerous changes and delays. Most of these changes have amounted to good news, making the model more achievable for smaller contractors. The latest version, CMMC v2.0, removed several requirements and aligned the model more closely with the already-established rules of NIST SP 800-171.
You can read more about CMMC v.2.0 here.
But those changes have also caused uncertainty, leaving contractors to wonder just how and when they should prepare. The DoD planned to introduce CMMC into defense contracts as early as March 2023, but that deadline has come and gone. Once again, the rollout faces ambiguous delays.
The DoD has not provided a new timeline for the rollout, but industry experts speculate the requirements could take effect in late 2023 or 2024. However, 2024 is a presidential election year, and the rollout could face even further delays.
So with the timeline and the requirements still unclear, what should contractors be doing right now?
NIST SP 800-171
With all the buzz around CMMC, it’s easy to forget that DoD contractors and subcontractors already face contractual cybersecurity obligations.
If your business handles Controlled Unclassified Information (CUI), you must meet the cybersecurity requirements of NIST SP 800-171. You must also submit a self-assessed compliance score to the Supplier Risk Performance System (SPRS) database.
Sometimes, CUI is not clearly labeled. If you’re unsure whether your business handles CUI, check to see if your contract references DFARS 252.204-7012. If it does, you must meet NIST requirements. You could also speak to your contract officer for further details.
Even though NIST SP 800-171 is a contractual requirement, it often goes unnoticed or ignored. CMMC was created, in part, to introduce the accountability that NIST lacks. However, the Department of Justice (DoJ) has made moves in recent years to tighten cybersecurity accountability for government contractors. (You can learn more about the DoJ’s Civil Cyber-Fraud Initiative here).
In short: government contractors who fail to meet their contractual cybersecurity requirements could face hefty fines. That means DoD contractors can’t afford to ignore their NIST requirements.
Even though the CMMC v2.0 rollout faces new delays, cybersecurity can’t wait. DoD contractors face important requirements even today.
But what exactly is NIST SP 800-171, and how does it relate to CMMC?
Understanding NIST SP 800-171
NIST SP 800-171 contains 110 controls across 14 different cybersecurity domains or categories. These controls help government contractors protect CUI from cybersecurity threats. They range from technical controls that require the aid of information security experts, to practical policy-based controls, such as the physical protection of your work facility. For more, visit our CMMC/NIST page. Though these controls largely overlap with CMMC v2.0, contractors must keep in mind some important differences.
What is NIST Compliance?
When CMMC rolls out, many CUI-handling contractors will require a third-party CMMC assessment. NIST SP 800-171, on the other hand, only requires self-assessment. You attest your compliance by submitting a score to the SPRS database. This score is your official attestation of compliance with NIST, so contractors should take it seriously and aim for accuracy. Even if you don’t have all the controls in place, any accurate score is better than no score or a false score.
NIST compliance also offers more flexibility than CMMC likely will. If you can’t currently implement all the required controls, NIST allows you to create a Plan of Action and Milestones (or “POAM”). This plan outlines which controls you have not yet met, along with your plan and timeline for implementing them. By contrast, CMMC will allow a POAM for some controls, but these controls have yet to be defined, and the requirements will almost certainly be much stricter.
What is the Best Way to Prepare for CMMC?
If you handle CUI, compliance with NIST SP 800-171 is a requirement. But it’s more than that. It’s also the best way to prepare for CMMC.
If CMMC’s requirements seem hefty at first glance, there’s a good reason: The DoD expects that contractors are already following NIST requirements.
For contractors who have not met their current NIST requirements, CMMC will require a massive leap forward. But if you’re already following current NIST requirements, CMMC will require much less extra effort.
This is especially true for the most current revision of CMMC. The initially announced version (CMMC v1.0) included multiple processes and practices on top of the existing NIST controls. But CMMC v2.0 removed these extra practices, making CMMC Level 2 (the level required by CUI handling contractors) identical to NIST SP 800-171.
In other words: If you’ve met the requirements of NIST SP 800-171, you’ve already met the requirements of CMMC Level 2.
What if I Don’t Handle CUI?
Some contractors don’t handle CUI—but they still might handle sensitive information. These contractors haven’t had to worry about NIST, but they will be impacted by CMMC.
CMMC exists to protect more than CUI. It also protects Federal Contract Information (FCI). If you only handle FCI, you will require CMMC Level 1. This level contains only 17 controls from CMMC Level 2/NIST. Third-party assessments are not required at this level. Instead, Level 1 contractors must submit a score to the SPRS database.
If you’re wondering what to do now that CMMC has been delayed, we suggest simply fulfilling the cybersecurity requirements you currently face. NIST SP 800-171 is a current requirement, and it’s the best way to prepare for CMMC.
At Core, we specialize in helping small businesses achieve cybersecurity. We know these requirements can seem overwhelming for smaller contractors. You’re focused on your business. You don’t have time to become a cybersecurity expert. With the right help, you don’t have to.
Core Business Solutions is a registered provider organization (CMMC RPO) with the CMMC Accreditation Board. We have a NIST/CMMC team to help small businesses implement cybersecurity requirements and achieve success.
For businesses who simply don’t have the time to overhaul their network to meet the requirements, we also offer technical solutions like CORE Vault, which provides everything you need for CMMC in one cloud-based solution. This includes the CORE Security Suite, where you can find customizable tools to build policies and calculate your assessment score. We also provide hands-on consulting support and employee training.
Let us handle CMMC and NIST so you can focus on your business. Give us a call at 866.354.0300 or contact us today for a free quote.