CMMC is delayed until 2024; now what?

Photos Courtesy Smithers Quality Assessments Div.

Since the DOD announced the delay of Cybersecurity Maturity Model Certification 2.0 (CMMC) in Nov. 2021, defense contractors have been in limbo on the next steps. This has been reinforced by skeptics pondering if CMMC would become a reality and others debating what CMMC 2.0 will finally say. The real question for defense contractors is: “What should we be working on until CMMC 2.0 is released?”

NIST 800-171

The CMMC delay and confusion about the final rule has been a distraction from what contractors should be focused on, NIST SP 800-171 compliance. NIST SP 800-171 compliance has been the law of the land, at least for DOD contractors, since Jan. 1, 2018, for contracts containing Controlled Unclassified Information (CUI). If your contract contains the DFARS clauses 252:204-7012, 7019, or 7020, compliance with NIST SP 800-171 is mandatory. If your organization is not currently compliant with NIST SP 800-171, your organization could be penalized with sanctions, loss of contracts, and potential for referral under the False Claims Act - 31 U.S.C. §§ 3729 – 3733.

Why start now?

DOD contractors are considered the weakest link in protecting CUI data due to their numbers and diversity of cybersecurity compliance and protections. Malicious actors are always looking for vulnerabilities to leverage to steal our defense industrial information.

Ensuring your organization is NIST SP 800-171 compliant is the first step in ensuring CUI data is protected. The second step, using my drill sergeant’s, “trust but verify” principle, is an independent assessment verifying the NIST SP 800-171 controls have been properly implemented and are supported by a process to maintain them.

Getting a NIST SP 800-171 conformance assessment before CMMC is officially released can bring value to your organization. Receiving an early NIST SP 800-171 Letter of Conformance attests to your organization’s commitment to cybersecurity and protecting the DOD’s CUI. Additionally, DFARS 252.204-7024 (released March 2023) requires the contracting officer to use an organization’s SPRS score in determining the cyber risk the organization brings to the DOD. Lastly, a cybersecurity assessment and statement of conformance may improve your organization’s ability and level of cybersecurity insurance you can get as many providers are now asking for independent assessments in addition to self-attestation in determining the amount of coverage, limitations, deductibles, and premiums.

NIST 800-171 is a journey, not a destination

The average organization will need 12 to 18 months to become compliant with NIST SP 800-171 and be ready for the first assessment. If your organization has not started the process of becoming compliant, it is likely you will not be compliant when CMMC 2.0 releases. This could be problematic because your organization has been submitting a SPRS score and self-attesting to meeting the requirements of NIST SP 800-171 since 2018, which could leave you open to charges under the False Claims Act.

Currently there are more defense contractors who will need an assessment than CMMC assessors and third party assessor organizations (C3PAOs) to conduct the assessments required every three years. When CMMC is released, organizations can expect long waits and difficulty in finding an available assessor in a timely fashion.

Becoming NIST 800-171 compliant can feel intimidating, both financially and in terms of the time investment. However, when balanced against the risk to your organization and potential loss of the DOD CUI this is a small price. Many companies have already started this journey and others are already compliant and receiving assessments. It’s time to get started.

Robert McVay (COL, ret) is a cybersecurity lecturer for Carnegie Mellon and a senior consultant with Information Security Services for Smithers. https://www.smithers.com