Last Updated on September 10, 2021
If your business is thinking ahead to a Cybersecurity Maturity Model Certification (CMMC) or NIST 800-171/DIBCAC assessment, you might also be wondering about your responsibilities after you achieve certification. Will you need to demonstrate continuous improvement? How often do you need to be recertified? In the case of CMMC, have “final” post-certification obligations even been announced?
To cover every aspect of your CMMC or NIST 800-171 assessment, including “life after certification,” a recent episode of The Virtual CISO Podcast features two top consultants from Pivot Point Security: Caleb Leidy, CMMC Consultant/Provisional Assessor, and George Perezdiaz, CMMC/NIST Security Consultant. Hosting the show is Pivot Point Security CISO and Managing Partner, John Verry.
No continuous monitoring (probably)
According to Caleb, CMMC doesn’t currently specify a need for continuous monitoring, at least up to Level 3. However, he acknowledges that a monitoring requirement might be added for CMMC Level 4 or Level 5 certification. The announced CMMC requirement is for recertification every three years.
“I find that surprising, to be honest,” John comments. “Only because of the fact that we have an industry, especially in the case of the DIB, where folks didn’t really do what they said they were going to do. And now we’re trusting that they’re going to continue to do things, and we’ve got a two-year exposure window.”
“No other standard I know of [says], ‘Hey, you got a certificate for three years with no check-ins,’ so I wonder if that’s going to change,” speculates John.
Beware the DIBCAC
“That’s for the CMMC,” adds George. “There’s nothing to say that DIBCAC is not going to come visit you [again]. That’s the one thing that should always be in the back of your mind. Continue to do the right things. Continue to do what you have in your policy; that periodic [internal] review quarterly or once a year, whatever the case may be. Just do what you’re saying to the government that you’re going to do and be able to present that evidence that you’re doing it.”
The DIBCAC’s right to audit you on-demand is per the DFARS 7020 clause that is part of new DoD contracts since the so-called interim rule was announced in November 2020.
DFARS 7012 is still in force
Further, as Caleb points out, the new DFARS 7019, 7020 and 7021 clauses defined in the interim rule don’t negate the “original” DFARS 7012 clause: “DIBCAC is not coming behind and doing CMMC assessments. Their function is DFARS compliance. Your DFARS compliance [for 7019, 7020 and 7021] means having your assessments in SPRS, having your CMMC certification and allowing assessments to be done. 7012 is still going to operate for [NIST 800-171 compliance], so they can come and do those assessments when they want to.”
Likewise, to fulfill the requirements of the DFARS 7019 clause in your contract, you still need to maintain a NIST 800-171 compliance score not older than three years in the DoD’s SPRS database—even after you achieve CMMC certification.
This podcast episode with Caleb Leidy and George Perezdiaz, along with a number of other shows in The Virtual CISO Podcast lineup, are the perfect way to stay up-to-date on the evolving DoD cyber compliance picture.