What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

May 7, 2024

DoD issues Class Deviation for NIST SP 800-171r2

Last week the DoD did a huge favor for the DIB, as evidenced in this memo published late Thursday:

The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. This class deviation remains in effect until rescinded.

Why did this happen?

Well, the original 7012 clause states that contractors that handle CUI must implement the version of 800-171 "in effect at the time the solicitation is issued." Since NIST is about to release R3 (sometime this month), it would have required contractors to be fully compliant with R3 the day it is released (for new contracts and task orders).

This would have been problematic for several reasons:

  • R3 has about 30% more requirements than R2, and since we haven't seen the final version, hardly anyone has seriously begun implementation.
  • DoD hasn't updated the NIST SP 800-171 DoD Assessment Methodology to reflect the many changes from R2 to R3, so scoring a self-assessment against R3 currently isn't possible.
  • Presumably SPRS will need to be updated to accommodate scores for R2 and R3.
  • The proposed CMMC rule ties CMMC L2 to R2. Changing this will require another round of rulemaking, but before that can happen, the CMMC ecosystem has to catch up. This will take significant time.

What does this mean?

Well, first, I don't think "until rescinded" means forever. I think it was the fastest way to get something in place before R3 is dropped later this month. Just this once, DoD was proactive and averted a potential disaster.

I expect the new 7012 clause currently being drafted will include a drop-dead date for converting from R2 to R3. I also think that date will be a couple years out. DoD will have to update the Assessment Guide for L2, and then CAICO will need to develop new training for CCPs and CCAs, and then DoD will have to update the 32 CFR 170 CMMC rule to change it from R2 to R3. I'm guessing late 2026 (many of my colleagues think 2027 or even 2028 are more likely).

What should you do?

Complete your implementation of R2 and sign up for assessment! Seriously, the CMMC ecosystem is significantly understaffed, with far fewer C3PAOs and CCAs available than are needed. Add to that the new requirement that ESPs have to get their L2 cert before their clients can be assessed, and I hear the lines are already forming. Every C3PAO I know of has a waiting list, and the stampede will begin for real when the final rule is published (and guess what? current money is on an August release date).

Don't delay! And if you need help, you know where to find me!

How old is your SPRS self-assessment score? Might want to review this.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy