This post first appeared on Federal News Network. Read the original article.
Federal contractors were just getting familiar with Cybersecurity Maturity Model Certification (CMMC) requirements when the National Institute of Standards and Technology announced Special Publication 800-171 Revision 3, further advancing cybersecurity requirements.
According to NIST, the new updates are the result of months of data collection, technical analyses, customer interaction, redesign and development of the security requirements and supporting information to better protect controlled unclassified information (CUI).
Revision 3 contains requirements to “specifically address threats to CUI, which recently has been a target of state-level espionage.” With the constant evolution of cyber threats, four years means we are overdue for an update. Here’s what “Rev 3” will mean for your company.
- Tougher security standards: Cybersecurity standards tend to lag behind Because of that, they are written as one-size-fits-all, generalized controls that address known threats. The new NIST 800-171 adds three new control families, significantly adding supply chain risk management. Understanding these changes and quickly meeting these tougher new standards increases cybersecurity posture — and exceeding minimum requirements is a good thing.
- Clarity: NIST 800-171 rev 3 used data, technical analyses and user feedback to help remove ambiguity, improve implementation, and clarify the scope of assessments. Both technical and non-technical requirements have been stated more clearly — always a welcome change.
- More assessment points: In Rev 3, the number of controls dropped from 110 to 95 (through combining and clarifying), but the number of assessment objectives went up from 320 to 390.
That’s significant when writing a system security plan (SSP), since each organization will need to address and provide documentation for all objectives. It’s important to note that each control has several assessment objectives, and an organization must meet all of them in order to be compliant with that control.
- Questions about Defense Federal Acquisition Regulation Supplement and CMMC: Right now, CMMC requires contractors to be compliant with NIST 800-171r2. But DFARS 252.204-7012(b)(2)(i)requires that contractors be compliant with the current version of SP 800-171 at the time a solicitation is issued or as authorized by the contracting officer.
The discrepancy could be a problem: Contractors could be required to become compliant with NIST SP 800-171 rev 3 as soon as it’s published, which we estimate to be late April or May of this year. Of course, the DoD could issue a temporary waiver, giving contractors a “grace period.”
A robust response to Rev 3
Once NIST publishes NIST 800-171 rev 3, the work begins. Even if the DoD provides a temporary waiver for CMMC for a year or more, contractors are expected to begin working toward compliance immediately. That’s the “maturity” part of CMMC and a best practice for protecting CUI and your own data and people. A robust response will have 3 points:
- Evaluate your security posture against the new assessment objectives (or ask your cybersecurity partner to do provide an assessment).
- Work on closing any gaps. For contractors, that means writing a plan of action and milestone (POAM) that identifies the tasks or steps to be accomplished and a schedule for doing the work.
- Create a new system security plan. Writing a system security plan, especially with 390 assessment objectives, is quite a daunting task. The good news is that NIST didn’t completely scrap revision two. Organizations with existing plans will be able to reuse or edit a good deal of content. By the way, there’s no grace period for this step. It might not be required for a CMMC assessment this fall, but it is compulsory for all contractors.
It’s been four years since the last revision to NIST 800-171. I think we can expect additional security requirements on a similar cadence or even sooner, given the pace of new threats emerging. Though this one might catch some contractors by surprise (since CMMC assessments have not even begun), in a few years’ time, cybersecurity will be just another operational task. We’ll all be safer for it.
Edward Tuorinsky is founder and managing principal at DTS.