Last Updated on August 31, 2023
The long and winding road that will ultimately lead to the Cybersecurity Maturity Model Certification (CMMC) rollout across the US defense supply chain is finally nearing its end. The US Department of Defense (DoD) recently completed its part of the CMMC rulemaking process. It has passed the draft rules to the Office of Management and Budget (OMB) for one last public comment round and/or instantiation of a new Defense Federal Acquisition Regulation Supplement (DFARS) 7012 clause into new DoD contracts.
Why “and/or”? Because the OMB, owing to extensive prior opportunity, may not entertain further public comment. If that’s the case, the OMB could approve the CMMC language as an interim final rule for use in contracts in as little as 60-90 business days (roughly January 2024).
If there will be one more round of public comment, CMMC will be designated a proposed final rule with a go-live timeframe somewhere between October 2024 and January 2025.
More certainty but not complete certainty
“We have a lot more certainty about timeframes because we know where we are in the rulemaking process,” said Warren Hylton, FedRisk Consultant at CBIZ Pivot Point Security. “The good news is that we know with some certainty that we’re going to see CMMC. It’s just a matter of we don’t know exactly when.”
What do the tea leaves and industry oddsmakers say about which path the OMB will take? On one hand, recent OMB rulemaking actions involving the DFARS 7019 and DFARS 7020 clauses led to proposed final rules with year-long comment periods. Conversely, comments and responses on CMMC to date are already becoming redundant.
“From a rulemaking process standpoint, this saga of getting the CUI protections into DFARS goes back ten-plus years,” Warren noted. “Obviously they’re hearing the comments, but they’re not enough to make them change course on anything.”
Transitioning to NIST 800-171 Release 3
Whichever route the CMMC rulemaking now takes, it will mandate compliance with the NIST 800-171 cybersecurity standard. This guidance is now also a moving target independent of CMMC language in DFARS 7012, as NIST is in the process of updating it to Release 3. The changes are significant, based on a shift from 110 total controls in NIST 800-171 Rev. 2 to 138 in Rev. 3.
What’s the recommended strategy for transitioning your cybersecurity controls? If you’re already have a mature, NIST 800-171 Rev. 2 compliant security posture, then you have security assessment and risk assessment capabilities, as these are required controls.
“What I would recommend is the next time you’re doing your annual risk assessment or security assessment, you need to include the NIST 800-171 Rev. 3 controls,” Warren advises. “Here are the new controls, here are the new risks, follow your own procedures and assess your environment against these revisions.”
When do you need to be NIST 800-171 Rev. 3 compliant? Whatever the timing of your next internal security/risk assessment, now is the time to be planning and moving in that direction. Unlike the CMMC rulemaking process, NIST does not need to factor public comment into its update process for documents it publishes. All orgs in the US defense industrial base (DIB) will need to be NIST 800-171 Rev. 3 compliant by the time the new DFARS 7012 clause with CMMC language starts appearing in DoD contracts.
For more guidance on this topic, listen to Episode 122 of The Virtual CISO Podcast with guest Warren Hylton from CBIZ Pivot Point Security.