Planet’s position that cybersecurity ‘compliance’ is being able to prove security to people who matter is central to this discussion. Since 2017, Department of Defense (DoD) acquisition rules have required DoD vendors to implement the 320 assessment objectives spread across the 110 security requirements themselves spread across 14 control families of NIST Special Publication 800-171 revision 2. DoD also required vendors to self-report their self-assessed implementation scores—and it should surprise no one that the majority of vendors reported exceptionally high scores! Over time, the DoD has become convinced that the self-reporting is not reliable. Post-incident analysis, non-scientific sampling of the defense industrial base, and False Claims Act lawsuits all contributed to DoD’s perception that something had to change. Enter, CMMC.
Leaving aside CMMC’s history and the fact that it is still not a finalized rule, there are numerous elements that make CMMC different than implementing National Institute of Standards and Technology (NIST) 800-171. The first and most prominent difference is CMMC requires DoD vendors to hire and pay for independent 3rd party assessments. Those assessors will now report scores to DoD based on standardized assessment methodologies. A second difference is that CMMC is restricting the flexibility inherent in 800-171—its assessment methodology is restrictive enough that an organization that passes a DoD assessment by DoD assessors could easily fail a CMMC assessment. There are continuing frustrations within the defensive industrial base (DIB) that the DoD is ineffective at marking CUI, and when using markings, misapplying the label to material that is not protected (e.g., lunch invitations marked as CUI, meeting requests marked as CUI). Anecdotally, organizations that have chosen to ‘pilot’ CMMC indicate that an organization starting at zero should expect 12-18 months of effort with 2-4 full-time persons, and ad hoc teams of up to 10 people are necessary to have high confidence in a first time pass!
Like NIST 800-171, CMMC focuses on protecting the confidentiality of CUI. CMMC requires providing proof of security to an independent assessor. CMMC requires a combination of people, processes, and technology to achieve repeatable and provable security. Like 800-171, there remains a sizable contingent of knowledgeable professionals who insist that being secure does not require the heavy handedness of NIST special publications or 3rd party assessors. For those skeptics, the coming requirements are a source of frustration and, from their perspective, resource diversions.
CMMC is likely to become a final rule in the Federal Register this year, with a multi-year phase-in period. Planet encourages all of its defense industrial base customers (e.g., colleges, research centers, DoD material vendors/suppliers) to implement NIST 800-171 on their path to eventually CMMC assessment. Those who wait will likely find it more difficult to find quality consultants to prepare for assessments. Waiting will also likely incur additional costs as the pool of assessors is fairly tiny compared to the size of the DIB.
Like 800-171, the foundations of CMMC remain, write what you do, do what you write, and be able to prove it.