As those in the field already know, government cybersecurity regulations are changing rapidly. While past requirements were based on the honor system of self-assessment for compliance, data security standards are changing and will require actual proof of compliance by CMMC-AB certified assessors.
At Rimstorm, we’re here to help. We offer numerous data security services to help achieve CMMC Compliance (Cybersecurity Maturity Model Certification), plus related compliance areas to ensure all government contractors are compliant at all times. One related area is the NIST 800-171, which is the foundation that CMMC is built upon.
The questions government contractors are asking are: what’s changing? How does CMMC work? And, what are the impacts of these changes on varying levels? This is particularly important for the DoD contractors who have access to CUI (controlled unclassified information) who will be required to meet CMMC Level 3.
This two-part blog series will go over everything you need to know.
Shifting Data Protection Regulations
As we noted above, the shift to requiring actual proof of CMMC compliance is relatively new. Previously, contractors only had to self-assess and declare themselves compliant with data security standards – but soon, this will be a thing of the past.
Now, the five levels of CMMC best practices will require actual proof. Without it, government contractors cannot work on new contracts requiring CMMC. This is a significant concern to many government and Department of Defense contractors, especially around 120,000 who will need to be at CMMC level 3 and have access to controlled unclassified information.
CMMC incorporates a number of pre-existing standards and regulations, including NIST SP 800-171, 48 CFR 52.204-21, DFARS 252.204-7012, and more. One of the primary goals is to combine these pieces into a single unified set of cybersecurity best practices that will cover the entire industry.
To do this, CMMC classifies best practices into 17 different domains with 43 different capabilities. Now, not all companies or contractors necessarily need to demonstrate all of these capabilities, and which you do need to prove will depend on the maturity level you seek.
CMMC Vs NIST 800-171
In late 2020, the DFARS interim rule was passed, driving home the introduction of CMMC. As we noted above, CMMC builds partially on the foundation of NIST 800-171, which up until that late 2020 point had been the primary dictating document in cybersecurity for DoD contractors dealing with CUI.
One of the major changes taking place here, however, is the shift from self-assessment to external assessment of compliance. Rather than contractors evaluating their own compliance, this will be done by third-party assessors. In addition, previous noncompliance with cybersecurity regulations would generally result in no consequences as long as the contractor or company prepared POAMs, but this is no longer true under CMMC.
CMMC also expands on NIST 800-171 through increasing security requirements, including adding 20 to level 3. These new requirements mostly speak to cyber hygiene. Until CMMC fully rolls out – we’ll discuss the timeline later in this series – both of these standards will coexist.
For more on CMMC compliance, CMMC assessments or any of our cybersecurity services, speak to one of our CMMC-AB assessors at Rimstorm today.