May 19, 2022

Last Updated on January 13, 2024

CMMC and NIST 800-171 compliance oversight is gaining momentum not just from the US Department of Defense (DoD) but also other federal agencies, such as the Department of Homeland Security (DHS) and the General Services Agency (GSA).

As rulemaking changes within the Code of Federal Regulations (CFR) proceed, when should MSPs/MSSPs serving the US government and its contractors be ready to demonstrate to clients and regulators that they can protect Controlled Unclassified Information (CUI)?

To give MSPs/MSSPs and their clients the latest guidance on emerging CUI protection mandates, a recent episode of The Virtual CISO Podcast features Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security. John Verry, Pivot Point Security CISO and Managing Partner, is the show’s host.

CMMC assessments are beginning

The CMMC Accreditation Body (CMMC AB) is gearing up for voluntary CMMC assessments in advance of CMMC compliance appearing as a requirement in defense contracts. As Caleb points out, these audits will reveal a lot about how MSPs will be assessed and what questions will emerge along the way.

“I don’t think we’ll see a whole lot that’s specific to MSPs in the FAR CUI rule—more around the federal CUI program and standardization across the board,” Caleb observes. “For the DoD rules, I’m not sure how clear they’re going to be, right? That could very well range from, ‘You need to have a CMMC certification as an MSP that’s handling CUI,’ [up to requiring] a FedRAMP Moderate ATO.”

CMMC rulemaking progress

CMMC 2.0 is being implemented through rulemaking changes to the Code of Federal Regulations (CFR), Parts 32 and 48. The CFR applies to all the US federal government agencies, not just DoD. Likewise, the different classifications of CUI encompass the entire US government supply chain, not just defense. The bulk of the changes impacting CUI protection across the US government will take place in 48 CFR Part 1.

After the 48 CFR Part 1 rulemaking is complete, when might MSPs start seeing new CUI protection requirements (e.g., NIST 800-171 compliance at a minimum) “flow down” to them from agency clients or customers in industries like transportation, legal, education, healthcare, etc. or appearing in contracts?

Potentially, new CUI protections could be mandated in contracts immediately after the rulemaking process is completed. But Caleb thinks there might be some extra breathing room:

“There are so many different extra CUI requirements on top of NIST 800-171, or the basic CUI safeguarding rules. That’s part of the reason why it’s taking them so long to work this all out, right? It started in 2010 with the [Obama] executive order. Here we are 12 years later almost getting to starting the program.”

What’s next?

To listen to this informative show with Caleb Leidy, click here.

Want more insight into how CMMC 2.0 rulemaking could impact your business? Check out this blog post: CMMC 2.0 Rulemaking: What are the Implications for Government Contractors Outside the DIB?