May 7, 2024
DoD issues Class Deviation for NIST SP 800-171r2
Last week the DoD did a huge favor for the DIB, as evidenced in this memo published late Thursday:
The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. This class deviation remains in effect until rescinded.
Why did this happen?
Well, the original 7012 clause states that contractors that handle CUI must implement the version of 800-171 "in effect at the time the solicitation is issued." Since NIST is about to release R3 (sometime this month), it would have required contractors to be fully compliant with R3 the day it is released (for new contracts and task orders).
This would have been problematic for several reasons:
- R3 has about 30% more requirements than R2, and since we haven't seen the final version, hardly anyone has seriously begun implementation.
- DoD hasn't updated the NIST SP 800-171 DoD Assessment Methodology to reflect the many changes from R2 to R3, so scoring a self-assessment against R3 currently isn't possible.
- Presumably SPRS will need to be updated to accommodate scores for R2 and R3.
- The proposed CMMC rule ties CMMC L2 to R2. Changing this will require another round of rulemaking, but before that can happen, the CMMC ecosystem has to catch up. This will take significant time.
What does this mean?
Well, first, I don't think "until rescinded" means forever. I think it was the fastest way to get something in place before R3 is dropped later this month. Just this once, DoD was proactive and averted a potential disaster.
I expect the new 7012 clause currently being drafted will include a drop-dead date for converting from R2 to R3. I also think that date will be a couple years out. DoD will have to update the Assessment Guide for L2, and then CAICO will need to develop new training for CCPs and CCAs, and then DoD will have to update the 32 CFR 170 CMMC rule to change it from R2 to R3. I'm guessing late 2026 (many of my colleagues think 2027 or even 2028 are more likely).
What should you do?
Complete your implementation of R2 and sign up for assessment! Seriously, the CMMC ecosystem is significantly understaffed, with far fewer C3PAOs and CCAs available than are needed. Add to that the new requirement that ESPs have to get their L2 cert before their clients can be assessed, and I hear the lines are already forming. Every C3PAO I know of has a waiting list, and the stampede will begin for real when the final rule is published (and guess what? current money is on an August release date).
Don't delay! And if you need help, you know where to find me!
How old is your SPRS self-assessment score? Might want to review this. |
Sincerely,
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!