To increase the cybersecurity posture of companies operating in government supply chains, the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) in 2019, and a draft was made available.
On January 30, 2020, the DoD released Version 1.0 to the public.
NIST Special Publication 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding.
How to Prepare for CMMC
The biggest impact to companies that must comply with NIST 800-171 is that there is no longer an option for self-attestation.
The DoD is planning to migrate to the new CMMC framework and this framework will require all companies seeking NIST 800-171 compliance to work with an accredited and independent third-party organization.
Can We Do It Ourselves?
No. With CMMC, there is no longer an option for self-attestation.
It's important to note that although the method for providing evidence of compliance has changed, any documents you may have created will still be helpful, such as a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).
So, if you have already put resources into the creation of these types of documents, that effort is still valuable.
What's New in CMMC Version 1.0
There are many similarities in CMMC compared to NIST 800-171, and the goal remains the same: to protect CUI within government supply chains.
The original NIST Special Publication 800-171 was broken out into 14 different families of IT security requirements. In Version 1.0 of CMMC, the categories are slightly modified and now include 17.
One aspect that is unique to CMMC is that CMMC will implement multiple maturity levels that range from 1 to 5.
- Levels 1 and 2 will only cover parts of NIST 800-171.
- Level 3 will cover NIST 800-171 plus a few other security controls.
- Levels 4 and 5 will expand even further to include additional security controls.
Technology Changes AND Process Changes
Cybersecurity is not a shopping cart where a secure IT environment requires nothing more than a full checklist. Instead, it is a combination of both technology changes and business process changes. This has always been our focus at Corserva.
If you've been putting off dealing with NIST 800-171 compliance and how CMMC impacts you, contact Corserva, we can help. We provide assessments for NIST 800-171 and CMMC readiness services.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the Marketplace for the CMMC Accreditation Body (CMMC-AB).