The information in this post is valid at the time of publishing.
On May 14th, 2024, NIST SP 800-171 Rev. 3 was released. The new revision resulted in “46 significant changes, 15 minor changes, 19 new requirements, and 33 withdrawn requirements”. The new framework coupled with older requirements results in the following questions:
As of May 20th, 2024, the DFARS requirements have not changed to reflect the release of NIST SP 800-171 Rev. 3. Because organizations with DFARS clause 252.204-7019 are required to perform a self-assessment using the NIST SP 800-171 DoD Assessment Methodology defined by DFARS clause 252.204-7020 then logically organizations seeking compliance are still bound by NIST SP 800-171 Rev. 2.
The DoD released a class deviation to clear up this dilemma: “The Office of the Under Secretary of Defense for Acquisition and Sustainment, in collaboration with the Office of the Chief Information Officer, today issued a Defense Federal Acquisition Regulation Supplement (DFARS) class deviation relating to the cybersecurity standards required for covered contractor information systems. The intent of this class deviation is to provide industry time for a more deliberate transition upon the forthcoming release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," revision. This class deviation will also afford the Department of Defense time to best align any of the necessary supporting mechanisms. Specifically, this class deviation provides an alternative clause that will require contractors, who are subject to DFARS clause 252.204-7012, to comply with NIST SP 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued.
CMMC 1.0’s unique requirement framework was scrapped and replaced with CMMC 2.0 because CMMC 1.0 was a complex maturity-based framework that didn’t align with NIST SP 800-171 Rev.2. It simply didn't make sense to have different frameworks for one industry. The CMMC program was updated to replace the initial CMMC set of cybersecurity requirements with the already the required NIST SP 800-171 Rev. 2 security requirements. The DoD’s CMMC page explains it like this: “Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.”
Now that NIST SP 800-171 has been updated, we will see changes to CMMC. The DoD’s CMMC page confirms this “As a result of the alignment of CMMC to NIST standards, the Department’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.”
Organizations are bound by contract requirements. Organizations should focus on actual requirements instead of speculation about upcoming requirements. Cybersecurity requirements for the defense industrial base on protecting controlled unclassified information (CUI) have always been clear but the speculation and anticipation around CMMC has caused much confusion. It is better not to over think and focus on the task at hand, making sure your organization is compliant with the regulation not speculation.
If your organization is new to meeting its DFARS NIST SP 800-171 related requirements, then following NIST SP 800-171 Rev. 2 is the clear logical path as you need to input an assessment score into the supplier performance risk system (SPRS) and the only way to do that is by using the DoD Assessment Methodology that is aligned with NIST SP 800-171 Rev. 2. Similarly, companies that need to renew their assessment score also need to follow Rev. 2.
Now that Rev. 3 has been finalized organizations should start to read and understand this new set of requirements that will likely apply within the next few years. Use the change analysis excel release by NIST to help with this. As the DoD releases more information related to DFARS requirements and Rev.3, organizations should start to create new system security plans and create POA&Ms to help fill any gaps they have. You will be ready for all those pestering emails from suppliers asking if you are compliant!
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you