Last Updated on March 9, 2022
Firms in the US defense industrial base (DIB) have seen their share of “regulatory fluctuations” in the past 18 months. The magnitude and pace of change—never mind the growing list of unknowns—have led to some general confusion about what “CMMC 2.0 compliance” means for US Department of Defense (DoD) suppliers at this point.
Where should DIB orgs be aiming their cybersecurity programs right now? And how might the situation evolve over the next 6 to 12 months?
To help SMBs in the DIB achieve and maintain CMMC 2.0 compliance, a recent episode of The Virtual CISO Podcast features Andrea Willis, Senior Product Manager at Exostar and an expert in continuous compliance. Hosting the show is Pivot Point Security CISO and Managing Partner, John Verry.
Everywhere you turn, it’s NIST 800-171
“I think there’s a lot of confusion, and some of that will remain until the rulemaking for CMMC 2.0 happens,” says Andrea. “But what I tell people when they ask about compliance is, ‘Well, today the compliance target is the DFARS 7012 clause [in your contract], which has always been about conforming to NIST 800-171.’ So, this is where I direct people.”
At the moment, attestation to your level of NIST 800-171 compliance only requires you to self-report a compliance score in the DoD’s SPRS database. But what will CMMC 2.0 compliance look like when rulemaking is finalized?
“At least in terms of what they’ve announced, the CMMC 2.0 compliance requirement coming up is also NIST 800-171,” Andrea observes. “So, if you align with NIST 800-171 you’re going to be in a good spot to move forward even though there is still a bunch of uncertainty because we still have the rulemaking process.”
Back to the future
“The good news for all of us is the DoD’s assessment [of CMMC 1.0] was sort of ‘back to the future’,” John reframes. “We’d been at NIST 800-171, and then the CMMC-AB moved us forward a little bit and changed what we were going to do. And then the DoD came back and said, ‘No, let’s just stick with what we have. Let’s just certify that or have senior officials sign off on it.’ At the net, that’s what really happened, right?”
In short, it’s likely that the attestation approach will change for many DIB orgs with CMMC 2.0. But the compliance target has not changed. Therefore, keep aiming for NIST 800-171 if you’re not all the way there. And if you think you are now NIST 800-171compliant, consider working on building compliance evidence to back that self-assessment up.
Andrea notes that a lack of trust in self-attested compliance scoring is already of concern to DoD contract managers.
“I had an interesting conversation with a government employee who wanted to verify SPRS scores for subprimes for the contract he was managing,” shares Andrea. “They’re very cognizant of the fact that, because it’s all self-attestation and all that’s put in the system is the score, how do they verify?”
“So, they’re looking forward to more of the CMMC 2.0 [program], where for those organizations that go through an audit there actually is going to be documentation stored in the government system so they can verify that if an organization says their score is 110, they really are a 110,” Andrea adds.
“That third-party attestation component provides a much higher degree of assurance,” John replies.
To listen to the full podcast episode with continuous compliance expert Andrea Willis, click here.
Want a comprehensive rundown of CMMC 2.0 and what it means for the DIB? Try this recent podcast: CMMC 2.0 is Here! Find Out What It Really Means for DIB and Non-DIB USG Contractors