June 7, 2023
NIST 800-171r3 -- Coming soon! (sooner than expected)
NIST held a special webinar yesterday to discuss 800-171r3. There was some interesting background on the decisions they made along the way, but the real bombshell IMO is the updated timeline, especially for 171A. (Remember that 171A is the Assessment Guide, which tells us how to assess compliance, including a complete list of all the Assessment Objectives.)
Most people were expecting a delay of several months, perhaps even a year, between the final version of R3 and the release of the updated 171A. However, we now know that NIST began working on updating 171A soon as the initial public draft of R3 was released. They are expecting to release the final public draft of R3 and the initial public draft of 171Ar3 at the same time -- this fall!
What does this mean for CMMC? Well, this means that the updated CMMC Model reflecting 800-171r3 will most likely come out much faster than I originally expected. This also increases the chance that official CMMC assessments will be based on R3 when they begin next year.
What does this mean for you? That depends largely on where you are in your preparation:
(1) If you have already implemented most of 800-171, you might seriously want to consider the Joint Surveillance Assessment Program (JSVAP). This is a sort-of trial program whereby C3PAOs bring a qualified OSC to DIBCAC and they perform a CMMC assessment together. It counts as a High Assessment for SPRS now, and is intended to provide the OSC with a 3-yr CMMC certificate once those become available. In this way, you would be assessed on CMMC v2.0 now and have potentially 3-5 years to implement R3 for your following assessment.
(2) If you have not yet implemented most of 800-171, then I truly hate to say this, but you are falling even farther behind. I don't like that the bar is being raised just as more organizations are reaching for it, but that's where we are. The bad guys are getting more clever and more aggressive, and our cyber defenses aren't keeping pace. DoD is giving us a hard kick in the seat of the pants to catch up.
So now, more than ever, it's time to prepare.
Need more help? You know where to find me!