• NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations

    DoD CMMC Proposed Rule has been released! — What Next?

    On December 26th, the Cybersecurity Maturity Model Certification (CMMC) proposed Rule was officially released for review. The comment period is open through 26 February 2024, and publication of the title 48 CMMC Rule is not expected until March. The final rule itself won’t likely go into effect until early 2025. The proposed rule reaffirmed that ... Read More →

    read more »
  • Who’s Watching the Watchmen?

    The majority of large organizations have a solid security posture, devoting significant resources to ensure that their systems are secure. But why do some of these same organizations experience massive security failures with breaches that compromise their clients’ data, leading to long-term damage to the company’s reputation? It’s because sometimes bad things do happen in ... Read More →

    read more »
  • FedRAMP Revision 5 has been Released!

    The FedRAMP Joint Authorization Board has approved the FedRAMP Revision 5 baselines to align with Revision 5 of the National Institute of Standards and Technology (NIST) Special Publication 800-53. At a high level, the changes include the following: Aligns security controls with NIST 800-53 Revision 5 and adds additional guidance for many of the controls. ... Read More →

    read more »
  • New Update to NIST 800-171 (Revision 3) Coming Soon…

    The next update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is expected to be released in late Spring or early Summer of this year. NIST SP 800-171 is the source for contractor security requirements in Department of Defense regulations and the Cybersecurity Maturity Model Certification (CMMC) program. An initial public ... Read More →

    read more »
  • CMMC may be delayed – But it’s not going away. Here is what you still need to do now……

    As you have likely heard, CMMC Rulemaking will be delayed for at up to a year due to additional Government entities review and approval. The Government may also be looking at improving requirement consistency and standardizing those requirements so that they can also be applied to non-DOD agencies. However, it is certain that DoD prime ... Read More →

    read more »
crorring through railway with red sygnal lights in winter

As you have likely heard, CMMC Rulemaking will be delayed for at up to a year due to additional Government entities review and approval. The Government may also be looking at improving requirement consistency and standardizing those requirements so that they can also be applied to non-DOD agencies. However, it is certain that DoD prime contractors will still require members of their supply chains to at least self-certify well before rulemaking completes, as they cannot afford to wait until that eventuality. Therefore, we urge all of you to continue your progress towards obtaining or maintaining NIST 800-171 compliance.

The bright side is that you have a little more time to get ready, so the focus should be on what we know will be required. One thing that we know will be required is the audit trail. It is important that you start the required processes now so you can build a repository of artifacts to show a history of compliance. This is required of all audits and is specifically called out by CMMC, and we are confident that requirement is not going anywhere.

Another key requirement is that you will need to be NIST 800-171 compliant, as that will be the minimum required. It is already in place for most DoD contracts, and depending on your FARS Clause you are required to calculate a SPRS score, which is based on NIST 800-171 Rev. 2 compliance. If you don’t do this now, you will likely need to soon, so you may as well get started. It is also a great way to evaluate your overall security posture since this is why we do this in the first place. BSC can help you with this by independently calculating your score and providing gap mitigation. We can also help put together a NIST 800-171 compliant System Security Plan if you don’t have that in place that is definitely going to be a part of any CMMC requirements as it is already for SPRS.

So, once again, let’s get started on the certain tasks and this will greatly ease your workload when the final rules come down. One of the reasons for the delay is that DoD wants to make the process more friendly to small businesses. Our determination is that when this rulemaking is final, all low to moderate-risk Level 2 organizations might only be required to provide a SPRS score along with more detailed documentation, such as the Security Plan and Policies and Procedures, rather than undergo a C3PAO assessment. We think the CMMC-AB likely was too aggressive, and the DoD is reeling them in because there simply won’t be enough C3PAOs to perform the thousands of assessments. We believe if you are compliant with NIST 800-171 and have the artifacts in place to prove it, you will weather any changes in CMMC smoothly.

How can BSC Systems Help?

BSC is helping small and medium-size businesses prepare for CMMC changes including demonstrable compliance with NIST 800-171. We have a proven track record of helping businesses of all sizes meet these requirements. Contact us for a list of references. As a Cyber-AB Registered Practitioner Organization, we have tools, templates and the expertise ready to be tailored for your organization and other support to help you establish a compliant and more secure environment. Give us a call or send us an email for a free one-hour consultation to discuss your needs. Call Philip Norton at (703) 405-7131 or email me at pnorton@bscsys.com. Also visit our web site at www.cmmcrx.com.