A stitch in time saves nine. Earn your proverbial gold star by going back to the future with NIST 171.
Don’t wait for CMMC 2.0 accreditation.
The world is full of proverbs reinforcing the wisdom of “acting now.” And, right now, most of those proverbs are loudly echoing throughout the defense industrial base (DIB).
The reason is Cybersecurity Maturity Model Certification (CMMC). If a member of the DIB interacts with government data on even a cursory scale, they need to comply with security mandates. Security Technical Implementation Guides (STIGs) and Center for Internet Security (CIS) benchmarks provide security and configuration checklists government organizations must meet before deploying a system or application. And NIST 800-171 guides private organizations in hardening many of the same endpoints before doing business with the government. Together, these security mandates represent much of the Risk Management Framework (RMF).
Even though the parameters of CMMC haven’t been fully formed yet, we know that NIST 800-171 will provide the bulk of the requirement. And the experts are all saying that the earlier you comply with NIST 171, the better. “Don’t wait for this to be a requirement in your contract,” said Matthew Travis, the CMMC Accreditation Body’s CEO. “Go ahead, engage in CMMC and get certified.” In the meantime, go back to the future and revisit NIST 171. NIST 800-171 always has been and continues to be the law of the land.
The early bird catches the worm.
There are clear benefits to receiving your CMMC 2.0 certification before the deadline:
- We know the Department of Defense (DoD) is exploring providing incentives to companies that voluntarily obtain their certification before it is required.
- There’s a chance that the DoD will finish its regulations ahead of time and start putting language in contracts. If you are not certified, you’ll be behind bidding on those contracts.
- Successful certification. Getting an early start means having plenty of time to solve any snags you may encounter along the way to certification.
- Your CMMC certification says that you take cybersecurity seriously. It shows you care about your customers’ security. Doing the work now to get certified indicates just how much you care.
- Good business. If government contracts are your livelihood, getting certified is key to your business.
Forewarned is forearmed.
Take advantage of the ample lead time you have now. However, because the certification process is robust, there are many things you’ll want to plan around, anticipate, strategize or put into motion over the next year or two.
More teeth are being put into NIST 171 with the False Claims Act. To begin with, at every level, the FCA will impose civil liability on any person who knowingly misrepresenting their cybersecurity practices or protocols and or violate obligations to monitor and report cybersecurity incidents. When you upload level 1 compliance into SPARS, for example, whatever you claim, you’d better be doing. There are consequences under the False Claims Act. In this rapidly changing technological landscape, managing risk and ensuring compliance using automation are effective ways to mitigate the risk of FCA liability.
“The DoD has announced that they are going to look to take the controls that were originally in CMMC and not in NIST 171 and ask NIST to implement those in future releases of CMMC.” Brian Hajost, Founder and COO, SteelCloud. We fully expect that NIST 171 and CMMC will be synchronized in the future.
Completing your certification before the deadline will also help you avoid any last-minute rush in getting assessed. Right now, assessors are in a holding pattern waiting to be retrained. Being an early bird can help you handle hiccups that may arise when the rush is on.
Assessing your risk compliance
It is a known fact that the protection of Controlled Unclassified Information (CUI) in non-federal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. Note that 171 in old DFARS was all self-assessment, and 171 in new CMMC 2.0 and new 171 look ahead, is self-assessment only when pertains to federal contract information. If you are touching Controlled Unclassified Information (CUI), you must be assessed. That is where level 2 comes in for CUI. Level 1 is only for non-federal systems information (FCI), and level 2 is for CUI. Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.
If you are going to progress to a new level 3, the federal government will do the assessment. You need to pass the level 2 assessment, the CMMC assessments for level 2. Assess your risk and not only what the cost of compliance means but what it means for not being compliant.
So, what can you do now to be better prepared for CMMC 2.0? We recommend starting with reading the documentation and taking some preparation classes.
Streamline the process of creating a hardened system with STIG automation for NIST 171 technical controls
To be or not to be…assess your risk and not only what the cost of compliance means but what it means for not being compliant. It is essential to know your risk posture.
Although there are still some unknowns about CMMC 2.0, there are knowns with NIST 171. So start with 171 in earnest. Do 171 and be well prepared when precisely what is required for CMMC 2.0 is known. Two areas that any organization will need to review when looking at compliance for either 171 or CMMC are the human non-technical side, how the organization physically protects information, and how the audit is done. Secondly, there are the system-level controls and hardening their systems and reporting and that type of activity. Finally, hardening an environment for 171 or CMMC for the lowest possible cost and effort becomes extremely important. Reducing the time it takes to harden the environment around an application stack is akin to cracking the code.
The time to hesitate on security compliance automation is over, and if you snooze, you lose.
There are still some unknowns about CMMC 2.0, yes. But there are a plethora of knowns about NIST 800-171. Don’t take a chance of the DoD completing the DFARS regulations ahead of schedule of adding language in the contracts that might affect your bidding on those contracts. So, go back to the future and start with NIST 800-171 in earnest. You will find that you will be way ahead of the curve when the final requirements are written.
“Don’t wait for this to be a requirement in your contract,” said Matthew Travis, the CMMC Accreditation Body’s CEO. “Go ahead, engage in CMMC and get certified.”
“CMMC certification will eventually be the coin of the realm in federal acquisition cybersecurity,” says Matthew Travis, the CMMC Accreditation Body’s CEO. “And you’ll stand out if you don’t have it.” So, get started today and show your customers in the DoD that you are as dedicated to protecting their data as they are.
Go back to the future with NIST 800-171.