September 20, 2023
800-171r3, DFARS 7012 and CMMC 2.1 – Where are we now?
That’s a pretty big question, eh? That’s the topic of my talk at the joint ItenWired/AFCEA TechNet conference next month, but I’ll give you a brief overview here.
800-171r3 & DFARS 7012
Last week Ron Ross, one of the authors of NIST SP 800-171, posted an update on LinkedIn, which included these points of note:
- Completed the Final Public Draft of SP 800-171, Revision 3
- Working on the Initial Public Draft of SP 800-171A (Assessment Procedures)
- Both publications will be released simultaneously in Q1, FY24
Note that for the federal government, FY24 begins on October 1, 2023, so that means we will have the final version of R3 and the accompanying assessment guide sometime in the next three months. I’ve heard some contractors speculate it would be a year or more before R3 would become final, but that doesn’t appear to be the case.
This is really important, because DFARS 7012 requires implementation of “the security requirements in [NIST SP 800-171] in effect at the time the solicitation is issued.” When R3 becomes final, that’s the version referenced in all new contracts with the 7012 clause. That means all the new additions to 800-171 are about to become actual requirements, not proposed new requirements.
About those organization-defined parameters (ODPs)
This is something I haven’t written about previously, quite frankly because it makes my head hurt, it’s not clear who is the organization (the purchasing agency? the private contractor providing the goods/services?) and I didn’t want to confuse people (anymore than necessary). But we have important new info in this regard, so here goes.
If you have actually read the draft R3, you have seen many many many controls with this language: “[Assignment: organization-defined X]” where “X” is something like policy, procedure, personnel, time period, etc. Ostensibly these ODPs were included in R3 to provide “more flexibility” but in fact, they proved to be a huge source of confusion and discontent, as R3 defines “organization” as the government agency, which means that (theoretically) a contractor could have different security requirements under contracts for different agencies, or possibly even different KOs. That’s a nightmare scenario.
Fortunately, many of the comments on R3 addressed this topic and seem to have had some effect. In August, NIST stated that there would be fewer ODPs in the final version of R3. On September 8, InsideCyberSecurity.com reported on a conversation with Stacy Bostjanick (head of the CMMC program at DoD), where she said that “she is on a “tiger team” at the Federal CISO Council that includes NIST’s Victoria Pillitteri which is working … to define the “last few ODPs,” Bostjanick said, to make sure there are not “multiple flavors” at different agencies.” That is really good news.
CMMC v2.1
Until the rule actually comes out (expected to be sometime in the next month or two), we don’t know much for sure. We do know that several individuals and organizations have had meetings with OMB’s OIRA and the DOD on the subject in recent weeks, and we know the gist of those meetings. One group requested that a delay of 6 months be imposed before CMMC assessments would be based on 800-171 R3 rather than R2, while another group asked for 18 months. At this stage, we don’t know what the rule will say specifically about the different versions, but there’s no doubt that the CMMC model will have to be adapted to R3 in the very near future, after which time, assessments will take place on that model.
When will official assessments begin? No one knows for sure, but many people expect that an updated version of the CMMC Assessment Process (the “CAP “) will be released when the rule is published, and C3PAOs will be permitted to begin official assessments at that time.
An old proverb that applies to this situation more than ever: “When is the best time to plant a tree? 20 years ago. When is the second best time? Today.”
Need help? You know where to find me!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the CMMC and Resources tabs. Feel free to share this update!
Sincerely,
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!