The landscape of cybersecurity regulations in the United States has undergone a significant transformation over the years, reflecting the ever-evolving nature of cyber threats and the need to protect sensitive government and industry data. The journey of this evolution can be traced through three key milestones: NIST 800-171, Cybersecurity Maturity Model Certification (CMMC), and the Defense Federal Acquisition Regulation Supplement (DFARS) clauses. These regulatory requirements represent a dynamic response to the growing threats in the digital realm and the necessity for heightened cybersecurity standards in the defense and federal contracting sectors. Understanding the historical changes in these regulations is crucial in comprehending the current state of cybersecurity requirements and their impact on organizations engaged in government contracts and the handling of sensitive data.
The National Institute for Standards and Technology (NIST) is a US Government agency that helps other federal departments manage their risks and is well-known for developing cybersecurity standards, frameworks, and best practices with guidance on how to prevent, detect and respond to cyber incidents. Their collection of best practices and guidelines drive the cybersecurity of public and private organizations and play a huge part in protecting national security. Notably, NIST has developed a number of special publications developed especially for federal agencies to regulate the cybersecurity infrastructure of third parties or contractors with whom they work.
Developed following Federal Information Security Management Act (FISMA’s) enactment in 2003, NIST published 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) to protect Controlled Unclassified Information (CUI) from cybersecurity threats. FISMA is a US federal law passed in 2002 that defines a comprehensive framework to protect government information against various security risks. While FISMA primarily focuses on federal information systems, NIST 800-171 is geared towards protecting CUI in non-federal systems, such as those belonging to contractors, universities, and other entities that work with the U.S. government.
NIST 800-171 was developed to provide guidance to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, the original cybersecurity requirements from the DoD.
NIST SP 800-171 is currently going through a major revision. NIST SP 800-171, Revision 3 (Final Public Draft) and SP 800-171A, Revision 1 (Initial Public Draft) were released on November 9, 2023.
Why should we keep informed on these revisions? Some of these changes will cost DIB contractors (no matter the company size) money as evidenced with the imminent CMMC regulation where non-compliance can lead to not being able to bid and win government contracts.
Highlight of changes:
NIST SP 800-171 r3 (Protecting Controlled Unclassified Information in Non-federal Systems and Organizations)
More information can be found at https://csrc.nist.gov/pubs/sp/800/171/r3/fpd
NIST SP 800-171A rev3 (Assessing Security Requirements for Controlled Unclassified Information)
More information can be found at https://csrc.nist.gov/pubs/sp/800/171/a/r3/ipd
The public comment period for both documents is open now through January 12, 2024.
Due to lack of certification, the DoD found that contractors were claiming to uphold all of the NIST 800-171 standards but in reality, they were not. Therefore, the DoD decided that it was necessary to develop a certification process to ensure that contractors and subcontractors in the defense industrial base (DIB) were compliant with a basic set of cybersecurity controls and CMMC was born. CMMC is in the regulatory review process and currently on its 2nd revision (CMMC 2.0). This revision has condensed its maturity levels from five to three.
While the Government continues to finalize the new rules and certifications, contractors and subcontractors are encouraged to boost their cybersecurity postures in preparation for the final ruling and implementation.
Currently, CMMC 2.0 is under review by The Office of Information and Regulatory Affairs (OIRA) is a statutory part of the Office of Management and Budget (OMB) within the Executive Office of the President as part of the normal rulemaking process. They had 90 days to review however now under a one-time 30-day extension. The 30-day extension ends on November 17, 2023. By this date, OIRA must decide whether to send the rule back for revisions or forward for publication in the Federal Register. Once published in the Federal Register there will be a 60-day comment period and that takes us to January 2024. From this point it the rules can take one of two paths:
NIST SP 800-171 and CMMC requirements will be issued to government contractors through Defense Federal Acquisition Regulation (DFARS) clauses inserted into specific solicitations:
Existing Clauses:
Three newer clauses (as part of the DFARS Interim Rule) expand upon the initial DFARS Clause 252.204-7012
Cybersecurity control regulations have evolved significantly, and we are on the verge of witnessing long-awaited historical transformations to better safeguard our national defense. It is imperative for DIB contractors to acquaint themselves with the forthcoming CMMC requirements and promptly take steps to implement the necessary security controls, ensuring regulatory compliance, successful control assessment and continued government contract eligibility.
Ingalls Information Security offers CMMC expert consulting services. Contact our DoD Services team for information.