We have gotten a few questions lately asking what the difference is between NIST compliance and CMMC compliance. While there was some talk early on about CMMC representing a different set of controls, that is no longer the case. In fact, CMMC is not really a standard at all at this time. So, what is CMMC and how does it relate to NIST SP 800-171?
CMMC 2.0 is built on a third-party assessment foundation. Rather than a separate standard that contractors could potentially still submit self-assessments for, a CMMC certification will confirm a company is fully compliant with the latest edition of NIST SP 800-171. You must be audited by a C3PAO (CMMC Third Party Assessor Organization), who will issue a letter of conformance until the official CMMC certification is available. Everything being assessed, however, will be under the NIST SP 800-171 umbrella.
Third-party assessments were proposed after DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) reported that self-assessments were often not truthfully reported and that contractors were falling well short of NIST 800-171 compliance. There will still be self-assessments in year one and year two after initial conformance/certification, but to officially be CMMC-certified, a company will have to be audited by a third-party assessor.
As of this writing, CMMC is due to be published by the Department of Defense any minute. In all probability, it is going to be released as a proposed rule. That means there will be time for public comment and then time for the DOD to react to those comments. It is expected at this time that CMMC will appear on contracts beginning during the first quarter of 2025.
One of the questions the industry is hoping to have resolved when the rule is published is how CMMC will track with the 800-171 standard. Currently, companies need to be in compliance with revision 2 of NIST 800-171, but revision 3 is due to be published and finalized during the spring of 2024. It is unknown whether CMMC will specify compliance with a specific revision or if it will leave time for companies to move from revision 2 to revision 3.
CMMC 2.0 was published as a proposed rule on Friday, December 22, 2023. Despite that, little has changed between now and December 21 in terms of what contractors need to be working on right now.
If you are a contractor that works with the Department of Defense, either directly or through a prime, the top priority is to make sure you are compliant with NIST SP 800-171 r2. NIST compliance has been a requirement since 2018, but with self-assessments many companies have been able to squeak by with little or no required controls. With CMMC imminent, those days are over.
If you are also interested in the ISO 27001 standard for information security management systems, you can kill two birds with one stone without a great amount of extra effort.
If you have any questions about where your organization is currently situated or what should come next, feel free to contact us for a no-obligation meeting. We are happy to answer your organization-specific questions.