May 19, 2022

Last Updated on January 18, 2024

With the finalization in March 2022 of NIST SP 800-172A, Assessing Enhanced Security requirements for Controlled Unclassified Information, the US Department of Defense (DoD) can potentially move closer to rolling out an assessment program for CMMC 2.0 Level 3 (Expert). A widespread presumption about CMMC Level 3 certification is that it will require compliance with the NIST 800-172 “enhanced security requirements” supplement to NIST 800-171, or a subset thereof.

Is there any news on this front? And how likely is it that an MSP or MSSP would need to achieve CMMC 2.0 Level 3 compliance?

To update MSPs/MSSPs and their clients on evolving CUI protection concerns, a recent episode of The Virtual CISO Podcast features Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

Expert is expert

Will CMMC Level 3 impact your MSP/MSSP business? That depends on who your clients are. What controls and requirements are you responsible for? How are you providing security for your clients’ CUI?

Most importantly, what “critical programs” are your clients working on? Once the DoD decides which programs require CMMC Level 3 protections, MSPs can start reading the tea leaves regarding their compliance requirements.

For example, if your clients are working on “prioritized acquisitions” like fighter jet programs or command/control systems, they might very well need to comply with CMMC Level 3, and therefore flow a CMMC Level 3 compliance requirements down to their subcontractors and vendors.

What will CMMC Level 3 look like?

Caleb relates that in addition to NIST 800-171 compliance, CMMC Level 3 is anticipated to involve a subset of the NIST 800-172 controls, not all of them. Which controls those exactly are is TBD.

What’s next?

To hear the complete podcast episode with Caleb Leidy, click here.

Have questions about whether your business handles CUI? Here’s a related blog post: 3 Reasons Why It’s So Hard to Identify CUI