Security standard revisions should not delay CMMC prep work

Revisions are underway to the security guideline at the heart of the Cybersecurity Maturity Model Certification and that process is another reminder that no company should wait until CMMC's final release to comply.

Once completed and unveiled, CMMC is the process that government contractors and their subcontractors will go through to validate how they protect controlled unclassified information in their systems.

It is unlikely that the notice of proposed rulemaking for CMMC will be released soon, but there are still several actions that companies should pursue.

One of those is paying attention to the revisions underway to NIST 800-171, a National Institute of Standards and Technology publication that outlines security standards and practices for non-federal organizations that handle controlled unclassified information on their networks

NIST is accepting comments on its proposed revisions to the 800-171 standard through July 14, said speakers at Tuesday’s town hall meeting hosted by the CyberAB accreditation body responsible for the CMMC ecosystem.

Jacob Horne, chief cybersecurity evangelist at Summit7, said companies should continue to work on their compliance with the current version of the standard. Horne believes it would be a mistake for companies to wait for NIST to finalize the third version of 800-171, which might not happen until next year.

The changes to the standard will not change the CMMC rulemaking process. CMMC is a program to certify compliance with NIST 800-171.

“They are interrelated but independent,” Horne said. “NIST 800-171 is the security requirements while CMMC assesses compliance with those requirements."

NIST's revisions to NIST 800-171 are refinements to those requirements and the agency will likely add some new controls.

Horne described the changes as “tailoring” and not fundamental changes to the requirements. But Horne also said that to understand the changes, it helps to understand the NIST 800-53 requirements that are broader for security and privacy controls.

NIST 800-171 is derived from 800-53 and focuses on requirements to protect controlled unclassified information. As 800-53 gets revised, those revisions flow to 800-171.

The expectation is that the revisions to 800-171 will be finalized in the fourth quarter of this calendar year, while CMMC will likely be finalized in the third quarter of calendar 2024.

That gap could create problems because it doesn’t give much time to revise the training and other materials needed to implement the revised standard.

But Horne said it is possible that the Defense Department will issue a so-called "class deviation" to delay compliance with the revised standard.

Even with a delay, Horne said companies who pause their compliance efforts with the current 800-171 will be months and potentially even a year behind.

Which brings the discussion to CMMC and when the proposed final rule will be released. We reported in February that the proposed rule would likely be released in June for comment. Now it does not look likely to happen.

A crucial step in the process is a review by the Small Business Administration because of the economic impact the rule will have on small businesses. SBA has not received the rule yet, which makes June a long shot for a release.

Because DOD is still in the rulemaking process, it has been relatively silent other than broad comments of support for CMMC and its importance.

In the meantime, CyberAB continues to grow the CMMC ecosystems with assessors and instructors. DOD is allowing third-party assessors to conduct joint assessments with the Defense Industry Base Cybersecurity Assessment Center as part of the Joint Surveillance Voluntary Assessment program. That program validates compliance with NIST 800-171.

CMMC certification isn’t possible right now, but scores under the Joint Surveillance Voluntary Assessment program are being recorded. Those scores will convert to a CMMC level 2 certification when the rule becomes final. CMMC has up to three levels of certification for companies.

Despite delays and uncertainty around the final CMMC rule, there are still plenty of steps companies can take now. That’s the clear message CyberAB is sending.