The CMMC REQUIREMENT IS FAST APPROACHING
F1 combines our knowledge and awareness of the security and compliance frameworks and obligations with a skillset around IT infrastructure configuration and policy management to optimize initial and ongoing compliance. By virtue of F1's foundational approach to architecting our clients' infrastructure, we assure not just initial attestations are achieved, but that organizations maintain that compliance posture.
F1 Provides
NIST/CMMC Solutions
F1, a CyberAB-authorized Registered Practitioner Organization (RPO) and NIST SP 800-171 Rev. 2 compliant-organization, specializes in regulatory compliance including NIST SP 800-171 and upcoming CMMC. We have been tracking CMMC very closely since inception. The new guidance regarding 2.0 will make CMMC an easier undertaking for companies all around. As a reminder, this is in the future. If you deal with the Federal government and transmit, process or store CUI, you must comply with DFARS 252.204-7012 now. Getting started on, or improving upon, your company’s NIST SP 800-171 compliance right now will help your company with future CMMC requirements immediately.
​
Whether it is mountains of documentation, loads of meetings to review various logs, policies and procedures or implementing technical security controls in Microsoft 365 GCC High (or commercial), F1 has your back. If you just want to have a conversation about whether any of this applies to you, where to start, how we can help or the weather in general – reach out to us.
The CMMC Journey
Updated December 2023
​
If your company works on Federal contracts that may contain Controlled Unclassified Information (CUI), you should be very familiar with the requirement to meet the security standards in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which is to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting CUI in Nonfederal Organizations and Systems. This went into effect December 31st, 2017 and has been in contract verbiage since.
​
There were a series of breaches in the supply chain from 2017 to 2019 that led to the Department of Defense creating a standard, the Cybersecurity Maturity Model Certification (CMMC), in 2019 that required 3rd-party attestation and not self-attestation.
​
There have been several shifts in CMMC since 2019. The initial iteration had 5 maturity levels, expanded on NIST SP 800-171, and was governed by the CMMC Accreditation Board. After gathering feedback and industry testing, the 5-level version of CMMC (1.0) was scrapped before even being finalized.
​
In November of 2021, the previous iteration of CMMC was replaced with a shiny, new version of CMMC, 2.0! This cut the levels from 5 to 3, removed the ‘maturity’ processes, and allowed for self-attestation on level 1, among other things. It is essentially a very similar version of NIST SP 800-171 at level 2 with a 3rd party governing body that can appoint companies to attest to compliance.
​
In April of 2022, the director for CMMC policy for the Office of the Undersecretary of Defense for Acquisition and Sustainment stated that she expects an interim rule requiring CMMC compliance could land as soon as May of 2023. It did not, in fact, land in May of 2023. However, there have been several new developments to the CMMC landscape since May.
In November of 2023, the Office of Information and Regulatory Affairs (OIRA) completed the regulatory review process. This may mean the CMMC rule could be published in December 2023, followed by a 60-day (or more, it’s a rather large rule) public comment period. Remember, published doesn’t mean ‘effective right now.’
After that, the DoD will review and parse the comments and then publish the final rule. The tentative date for the final rule, agreed upon by most industry professionals at this time, is Q1 2025. From there, the DoD will start a ‘phased roll-out’ in contracts – meaning adding DFARS 252.240-7021 into groups of contracts over 3 years.
To add another interesting twist, in November 2023, NIST released the final public draft of SP 800-171 Revision 3 (revision 2 is the current enforced version in DFARS 252.240-7012). This draft is more concise but requires more assertion of ‘determination statements.’ This draft is currently in public comment period and industry anticipates its finalization near Spring of 2024.
CMMC and NIST SP 800-171 are very similar as it stands right now, but the fact that both publications are not finalized could mean further delays and disruptions down the line. Time will tell – but CMMC is inevitable.
​
If your company works on Federal contracts that contain CUI, you should be most of the way to compliance with the current iteration of CMMC, based on NIST SP 800-171 and that pesky DFARS clause. The delta between the current iteration NIST SP 800-171 and current CMMC level 2 is substantial, but not insurmountable.