Last Updated on October 12, 2020
Heresy! Blasphemy! Lunatic? Uninformed?
Au contraire, mon amie. Actually, this view is both orthodox and very informed… with one key caveat. Let me explain.
The caveat is that you have a current contract that includes the Defense Federal Acquisition Regulation (DFARS) Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). That particular clause specifies the need to comply with NIST SP 800-171.
Contrary to popular belief, NIST 800-171 is not going away anytime soon because of the way DIB contracts are constructed. Katie Arrington, the point person for CMMC, said it best:
“We have to go through an acquisition cycle. Most of our acquisition contract strategies are one base year, plus four option years. So if you’re on a contract today that is not due to come out for recompete for three years, you are not going to be required to get a CMMC certification if you’re [winning] only on that work for the next few years.”
So with the current project ramp of four-plus years until CMMC is fully in place, does that mean you are off the hook until then? Unfortunately for you (but fortunately for US national security) the answer to that is a resounding “No.”
There is a solid rationale for getting serious about NIST 800-171. Here are the top 3 reasons:
- To this point, agencies and prime contractors only verified that subcontractors had implemented NIST 800-171 with a single assertion (essentially a big red ‘X’ on construction paper). Hence the need for CMMC. Meanwhile, the DCMA has ramped up its enforcement capabilities and will be more aggressively validating NIST 800-171 compliance. It’s important to note that the US government has been employing the False Claims Act against organizations that misrepresent compliance. Net out: You will need to be able to prove that you are NIST 800-171 compliant.
- If yours is one of the 135,000-something companies whose supply chain collaboration is managed through Exostar, they have added a new “Certification Assistant,” a platform for streamlining the implementation of controls and policies necessary to complete an accurate NIST 800-171 self-assessment, or to prepare for CMMC certification success. What that means is that the prime contractors that you need to assert to will now have visibility into the actual implementation of your NIST 800-171 (or CMMC) implementation.
- You are going to need to get CMMC Level 3 certified at some point in the next few years—either to cement your spot in a capture team or to secure a contract with a CMMC requirement. CMMC has 130 controls of which 110 are the ones that you need to implement for NIST 800-171 anyway. So moving to provable NIST 800-171 conformance is getting you 85% of the way to CMMC.
So dust off your NIST 800-171 and/or NIST Handbook 162, put away your shiny new copy of CMMC, and get to work!
Note: As this post is being pushed to our website (July 2nd, 2020) I am hearing whispers that although the CMMCAB has not changed the timeline for CMMC, Primes are setting a more aggressive goal to have fully CMMC Level 3 capture teams by close of 2021. Assuming so, CMMC takes on a far different level of importance. WKYP and update this blog as we get more info.