The time has come to go back to the future with NIST 800-171 to meet the updated compliance requirements for CMMC 2.0
Last November, the Department of Defense rolled out updated plans for their Cybersecurity Maturity Model Certification (CMMC)—CMMC 2.0. CMMC is a cybersecurity program for protecting and handling controlled, unclassified information (CUI). As part of the reorganization, the Pentagon consolidated the number of maturity levels from five to three and removed 20 controls beyond NIST SP 800-171 from the new level two.
While there is still much confusion around CMMC 2.0 and final rules could be months—if not years—away, it seems clear that NIST 800-171 will be the basis of most (or perhaps all) compliance criteria with CMMC at Level 2, the level most government contractors will need to satisfy. The good news is that, since NIST 800-171 has existed for four years within the DoD, there is a good foundation for dealing with it efficiently and effectively.
Go back to the future with NIST 800-171 to meet the additional requirements and criteria of CCMC 2.0 at level 2
At a recent industry event, Defense Department assessment leader John Ellis said of CMMC 2.0, “We focused on NIST 800-171 under the level two assessments instead of the additional CMMC requirements. However, I want to make sure everyone understands those requirements are not going away.”
So, the additional initial requirements in CMMC may remain, and can be rolled into NIST 800-171. Ellis said the requirements “will be passed over to NIST for inclusion in future revisions of NIST 800-171,” adding “that’s where technical requirements belong anyway.” But Ellis added, “If you are going to have a technical baseline” for CMMC, the requirements should be incorporated into the technical standards baseline itself as opposed to introducing them in a secondary [CMMC] program.”
So, where do we go from here?
Yes, there are many unknowns about CMMC, and we may not find the answers for a while. But in the meantime, we know a lot about NIST 800-171. While 171 may change some in the future to include new CMMC controls, most of it will remain the same.
So go at it like the success of your company, the supply chain, and your risk management posture are on the line. Because they are. Then, when new controls are added to NIST, you’ll be way ahead of the game, and your customers will see your dedication to security.
Take the easy path to CMMC certification.
Let’s face it. Members of the defense industrial base (DIB) are overwhelmed by all these changes. And it doesn’t help that the final rules are still up in the air. But it’s not as hard as it seems.
SteelCloud’s ConfigOS automates NIST 800-171 compliance, reducing the time, cost and effort it takes to harden around an application stack. You can comply with NIST and set up continuous monitoring and mitigation in about an hour. In addition with automation, everything gets updated when there are changes to NIST. It’s the most set-it-and-forget-it way to CMMC 2.0 compliance.
CMMC 2.0 still has changes to bring forth. But with ConfigOS on the job, they won’t interrupt your larger mission. Start complying now so you won’t have to rush later. Schedule your demo of the CMMC 2.0 compliant solution for the DIB, ConfigOS.