Update on Rulemaking
From an article published by Sara Friedman[1] of Inside Cybersecurity, the DoD now expects to release interim rules two months earlier than expected — in March 2023 — and include CMMC requirements in contracts by May 2023, after the conclusion of a 60-day comment period. Stacy Bostjanick, Director, Cybersecurity Maturity Model Certification (CMMC) Policy, OUSD A&S, US Department of Defense, announced this update at the CMMC Day Conference, which was held on May 9. A phased rollout is once again anticipated, over a three-year period.
Companies are encouraged to complete an assessment by an approved certified third party prior to May 2023. Early certifications would remain valid for three years after the date CMMC officially goes into effect.
CUI Guide is Forthcoming
CMMC Director Stacy Bostjanick also shared that she has been working on a CUI guide that will become “the rule of thumb” for contracting officers to use in defining CUI and determining what level of CMMC is required in a contract.
NIST SP 800-171 Series Updates
Sara Friedman of Inside Cybersecurity also reports[2] that, according to Victoria Pillitteri, Acting Manager, Security Engineering and Risk Management Group for NIST, the National Institute of Standards and Technology (NIST) is expected to issue a pre-call for public comments on updates to NIST Special Publications 800-171 Rev. 3, 800-171A, 800-172, and 800-172A. The 20 unique controls that were included in CMMC 1.0 but removed in version 2.0 of the program are expected to be added to NIST SP 800-171 Rev. 3.
Update on SPRS Reporting and DIBCAC Medium Assessments
In a Cyber Collaboration Center webinar on May 5, Larry Lieberman, Cyber Evangelist with eResilience[3], shared that the DCMA DIBCAC is starting to conduct Medium Assessments (SSP reviews) on contractors and subcontractors to evaluate the accuracy of SPRS reporting. The audience was reminded of key “realities” concerning NIST SP 800-171 assessment and SPRS submissions, including the following:
- Assessments should be done using the NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information;
- SPRS scores don’t have to be high, but they must be accurate. There is no minimum score for uploading to SPRS; however, no submission at all will preclude your organization from eligibility for DoD contracts requiring compliance to DFARS 252.204-7012.
Prime contractors were advised to proactively validate their DoD subcontractors’ submissions.
John Ellis, Director of DCMA’s Software Division, shared that the DIBCAC has begun conducting Medium Confidence Assessments on small and medium-sized contractors, to determine the accuracy of their SPRS submissions.
The video recording for this webinar and other recent webinars can be found at www.cybercollaborationcenter.org.
“FAR and Above” Phased Approach, from CMMC Information Institute
The CMMC Information Institute introduced their “FAR and Above” Phased Implementation Plan for NIST SP 800-171 and CMMC 2.0 Level 2 Adoption”. The phased approach is incorporated in a complimentary NIST SP 800-171 self-assessment tool, offered at no cost under the Creative Commons CC-BY-SA license. The also includes a System Security Plan worksheet, tabs for inventorying hardware, software and cloud services, potential assessment considerations, a POA&M template, and CUI types. The tool is available via the organization’s web page: https://cmmcinfo.org/home/cmmc-info-tools/dod-nist-sp-800-171-basic-self-assessment-scoring-template/.
The phased approach is organized as follows:
- Phase 1 of the plan covers the 17 controls derived from FAR 52.204-21 requirements and their corresponding NIST SP 800-171 controls;
- Phases 2 through 5 encompass the rest of the controls (reorganized) from NIST SP 800-171.
What We Are Following
Follow FoxGuard’s Quarterly CMMC Update blogs to stay up-to-date regarding:
- Progress on FAR and DFARS rulings
- Upcoming DoD incentives for early CMMC certification
- Clarification and training on identifying and marking CUI
- Allowance of Plans of Action & Milestones (POAMs) in CMMC
- Final decisions on Third-Party Certification vs. Self-Attestation
Check out our Blog Series – Technical Implementation of CMMC
Download FoxGuard’s latest blogs on top-level technical implementation options of CMMC Levels 1 and 2 at https://foxguardsolutions.com/library/?categories=blog.
Need Help?
FoxGuard Solutions is a Registered Provider Organization (RPO), with Registered Practitioners ready to help with your cybersecurity readiness needs, including planning and preparation for CMMC. You can find us on CMMC Accreditation Body Marketplace/FoxGuard Solutions.
If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider our professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DOD work.
FoxGuard’s services will help you save time and money in your journey towards FAR, NIST, and CMMC compliance by helping to accurately evaluate the type of protected information your organization handles, identify where the information resides, and create a customized and streamlined solution for effective and thorough protection of that information.
FoxGuard partners with Boston Government Services, LLC (BGS) Boston Government Services, LLC (BGS), one of only 12 currently authorized CMMC Third-Party Assessment Organizations (C3PAOs).
Please visit https://foxguardsolutions.com/cmmc/ for more information.
[1] https://insidecybersecurity.com/share/13502
[2] https://insidecybersecurity.com/daily-news/nist-plans-release-%E2%80%98pre-call%E2%80%99-comments-controlled-unclassified-information-publications