Last Updated on January 18, 2024
Many organizations in the US defense industrial base (DIB) that handle Controlled Unclassified Information (CUI) have been working towards what was formerly CMMC Level 3 certification, now called CMMC Level 2. The current target is a little smaller thanks to a refocusing on NIST 800-171 cyber controls. And some firms may end up forgoing a third-party audit in favor of a self-attestation in SPRS with senior management sign-off. Otherwise, little has changed.
But what about the timeline to compliance? Isn’t that extended while the government makes rule changes to the Code of Federal Regulations (CFR) titles 32 and 48?
To outline impacts and expectations for CMMC 2.0 within and beyond the DIB, John Verry, Pivot Point Security CISO and Managing Partner, recorded a special episode of The Virtual CISO Podcast. On the show with John are two senior Pivot Point GRC advisors: George Perezdiaz, CMMC/NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor.
Flowdown from Primes
As someone working with DIB orgs every day, Caleb appreciates the reality of their current situation: “A lot of the clients that I’ve been working with were already kind of switching course (to NIST 800-171) because they’re getting the questionnaires and the pressure from Primes,” observes Caleb. “Primes are flowing down the requirements—the current requirements that are now the future requirements—and everybody’s kind of freaking out and they’re being put on timeframes.”
Caleb continues:
“So, a lot of folks are already refocusing on NIST 800-171, which is great. It’s where they should be. Those are current standing requirements that we’re going to need to focus on and get people compliant with, along with the DFARS per the interim rule. All of that is going to remain in place until this rulemaking process is finished to actually implement CMMC 2.0.”
George is seeing the same trend: “NIST 800-171 still reigns supreme, and the Prime Contractors are doing an excellent job at keeping everyone’s eyes on the ball. And that’s a constant reminder there, right? DoD may not have communicated since June of this year, but the Primes have been. If you have been identified as a top 20 critical technology or critical supplier for one of your Primes, the likelihood that they will want you to have a CMMC Level 3 certification [now CMMC Level 2] is there still.”
“We have seen most of the major Primes, over the last three months, [sending our clients] letters that basically say, ‘We’re holding your feet to the fire to get to this level by this point in time, and if you don’t, we’re no longer going to do business with you,’” John points out. “So, even if CMMC has changed, if the Primes don’t change what their expectations are, we’re still back to the same place we were.”
In other words, it’s all about flowdown. The Primes are being scrutinized for compliance with their contract clauses, and that scrutiny is flowing down to subcontractors across the DIB. This is making compliance with NIST 800-171 and relevant DFARS clauses time-critical for many SMBs in the defense supply chain.
The more things change, the more they remain the same…
What’s Next?
To listen to the complete episode with John, Caleb and George on CMMC 2.0, click here: EP#71 – Caleb Leidy & George Perezdiaz – CMMC 2.0 is Here! Find Out What It Really Means for DIB and Non-DIB USG Contractors – Pivot Point Security
For more timely guidance on what’s most key for DIB orgs to know about CMMC 2.0, try out this post: CMMC Piloting Efforts Suspended… Frustrating But Not Surprising (and Optimistic for “CMMC 2.0”) – Pivot Point Security