//

From NIST Information Security Guidelines to CMMC: What Do the New Regulations Entail?

4 mins read

With the Department of Defense’s (DoD) new security regulations around the corner, it is imperative for government contractors to stay up to date with how the guidelines and expectations have shifted from NIST SP 800-171 and NIST SP 800-53 to Cybersecurity Maturity Model Certification (CMMC).

As the threat landscape continues to evolve, systems used by the U.S. government, become increasingly popular and attractive targets for cyber attacks (due to the sensitive and critical nature of the information they store), organizations have been forced to take the steps needed to protect the integrity of their systems and the data within them.

The new CMMC will require all contractors that work directly or indirectly on DoD contracts to be certified. By meeting CMMC guidelines, it will prove the company’s IT systems are capable of protecting DOD-sensitive information and will help companies gain a competitive advantage.

The regulation will build upon existing frameworks from NIST. CMMC outlines a 5-tier certification model for government contractors to ensure they establish the controls needed to protect sensitive data including Federal Contract Information and Controlled Unclassified Information (CUI).

The 5 certification tiers in CMMC range from basic controls, likely appropriate for smaller subcontractors, to highly sophisticated, state-of-the-art controls, likely appropriate only for the largest, strategic contractors.

Level 1 indicates a contractor has basic cyber hygiene and can safeguard FCI, level 3 indicates a contractor has good cyber hygiene and is capable of protecting CUI in compliance with NIST SP 800-171 pursuant to the existing DFARS 252.204-7012.

For companies to attain a level 4 and 5 certification will require that are not only protecting CUI, but also reducing the risk of ATPs. CMMC will draw upon NIST’s new SP 800-171B’s enhanced cybersecurity requirements, which are intended for critical programs and high-value assets.

Regardless of the certification level, all government contractors and subs with access to sensitive data must be certified, with CMMC, there is no self-certification.

Full implementation of CMMC has been projected to take several years because it will not apply to contractors retroactively. The DoD has suggested it may be 2026 before CMMC is incorporated into all DoD contracts as many recently issued contracts will come up for renewal or recompetition. Going forward, the CMMC model will be updated at least annually to keep up with changing threat environments and technological capabilities.

Potomac Officers Club will host its CMMC Forum 2020 on April 2. Click here to register for the event.

Katie Arrington, chief information security officer at the Office of the Assistant Secretary of Defense for Acquisition and a 2020 Wash100 Award recipient, will serve as a keynote speaker at the CMMC Forum 2020. She will address the CMMC’s timeline, how the certification process could change and will provide a memorandum of understanding with a newly established CMMC accrediting body.

A full expert panel will include Ty Schieber, senior director of executive education and CMMC-AB chairman of the University of Virginia and Richard Naylor of the Defense Counterintelligence and Security Agency (DCSA) among other members of the federal sector and industry.

Register here to join Potomac Officers Club for its CMMC Forum 2020 on April 2nd to learn about the impact DoD’s CMMC will have on cybersecurity practices, supply chain security and other aspects of the federal market.