Almost four years ago, the Department of Defense announced the Cybersecurity Maturity Model Certification (CMMC).was created to complement this NIST SP 800-171, focuses on protecting uncontrolled information (CUI). For those who aren’t familiar with what CUI consists of, a simple explanation is that the broadest privacy terms apply to information related to government-business relationships. For example, general privacy, contract details, and law enforcement-related information all fall under the definition of CUI. Each government agency has its own details about the CUI it relates to.
CMMC provides a way for agencies seeking government contracts to demonstrate cybersecurity preparedness through specific evaluation criteria. The first version of CMMC included five levels that addressed higher levels of cybersecurity hygiene. As originally reported here, these levels involved were extremely complex and cost-prohibitive for small and medium-sized businesses seeking certification.
Welcome to CMMC v.2
A new version of CMMC was recently released. This is expected to make the process more accessible to businesses of all sizes. The new version reflects a strong effort to streamline the process. A “conceptual” comparison table is provided by CMMC Website:
Please note that while the new version attempts to resolve some of the issues with CMMC v.1, it is not without its flaws. actual, public comment The Department of Defense asked for clarification on exactly why the update was initiated.
“The Department values feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. It focused on the need to strengthen CMMC by reducing costs, especially for small and medium-sized businesses. (2) Increase confidence in the CMMC assessment ecosystem. (3) Clarify cybersecurity requirements and encourage other federal CMMC 2.0 is designed to meet these goals and also help strengthen the cybersecurity of the defense industrial base.”
Competing interests?
One of the most important changes in the new CMMC is that organizations can now perform a self-assessment to achieve Level 1 compliance. However, concerns remain about this proposed revision, as NIST is also undertaking similar efforts. Update SP 800-171.
NIST and the Department of Defense are not competitors, but the fluid nature of document references gives a different impression.For example: 1 commenter Note: “CMMC references NIST SP 800-171 revision 2, so I believe there is a conflict. DFARS 252.204-7012 References the version of NIST 800-171 in effect at the time the request was issued. The commenter continued, “We recommend that you update DFARS 252.204-7012 to specify NIST 800-171 Revision 2 in a separate rulemaking activity; otherwise, NIST 800-171 Revision 3 When released, CMMC and DFARS 252.204-7012 will conflict regarding which revisions.” NIST 800-171 must be implemented. ” It is easy to object to such a literal interpretation, since it is presumably presumed that the most recent document (in this case, NIST 800-171 revision 2) should apply to previously created references. But that doesn’t make it any less true. It means that there is some confusion.
Toward full implementation
The new version of CMMC is still in the “rulemaking process,” meaning it will not go into effect until the end of 2024 at the earliest. For those working on implementing CMMC v.1, your efforts will not be wasted when the new version is completed.
Anyone who has written a security policy document understands the complexity of covering all aspects important to a particular organization, as well as the practicalities of implementation. While the new CMMC may be perceived as incomplete, it provides more opportunities for organizations that were previously at risk of losing valuable government contracts.
Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect the opinions of Tripwire.