Your entire DIB should do not forget that CMMC compliance is a continuing journey that’s mandatory to guard our warfighters and our nation.
Compliance with the Protection Division’s Cybersecurity Maturity Mannequin Certification (CMMC) program is now necessary for any protection industrial base (DIB) group that desires to keep up or win DoD contracts. CMMC relies on the 110 safety controls documented within the Nationwide Institute of Requirements and Know-how’s (NIST) Particular Publication 800-171, Revision 2, or Rev. 2. Even whereas many DIB firms are nonetheless hurrying to get their companies compliant with this normal, the DoD is getting ready to replace necessities to align with the subsequent model of SP 800-171: Rev 3.
A snapshot of NIST’s Rev. 3
Printed in Might 2024, Rev. 3 updates the safety necessities for shielding managed unclassified data (CUI) in non-federal methods. It provides three new safety management “families” to the 11 included in Rev. 2, emphasizing provide chain safety, incident response and countering superior threats. Rev. 3 additionally aligns extra carefully with the management construction and terminology of the broadly adopted NIST SP 800-53 Rev. 5 normal that particulars necessities for shielding data methods’ confidentiality, integrity and availability.
Technically, Rev. 3 has 13 fewer necessities than the 110 in Rev. 2, however that doesn’t in follow imply there are fewer issues on the examine checklist. In truth, there are extra. Most of the withdrawn Rev. 2 necessities have been merely merged into different necessities, so nonetheless have to be met. Moreover, Rev. 3 consists of 88 organization-defined parameters (ODPs) — particular controls, similar to password size or session timeout period, for which companies should set values or thresholds. Whereas NIST permits for organizational flexibility in deciding these values, the DoD as a substitute outlined precisely what they have to be for CMMC compliance.
One other massive change in Rev. 3 is the formal inclusion of fundamental safety necessities often called non-federal group controls (NFOs). Rev. 2 Appendix E listed 61 of those, however NIST erroneously assumed that organizations would normally fulfill them, so didn’t explicitly require them for compliance with the usual. Now, almost all Rev. 2 NFO controls are core to Rev. 3, and symbolize the majority of Rev. 3’s web new necessities.
Balancing targeted and dynamic planning
Whereas the DoD has not but disclosed the precise timeframe for requiring Rev. 3 compliance, printed memoranda point out it’s anticipated in future rule-making, and will probably be within the subsequent 12-18 months. How that impacts DIB members is dependent upon the place they’re of their CMMC journey. A rising variety of DIB firms achieved CMMC certification or are getting ready for his or her certification evaluation, however many others are nonetheless fairly far behind. How every group approaches their preparation, and the way they tackle each Rev. 2 and Rev. 3, is dependent upon the timeline round after they intend to certify.
Even organizations which can be already CMMC compliant will want time to implement this subsequent normal. The migration requires planning, however with an essential caveat. One of many greatest challenges will likely be migrating in a method that doesn’t introduce what the DoD considers a “major change” to an data expertise setting, as that might set off a pricey and time-consuming CMMC re-certification requirement. Sadly, the DoD up to now has not outlined what constitutes a serious change, resulting in rumor and hypothesis ― two practices that simply aren’t useful.
So how can organizations begin migrating towards Rev. 3 with out triggering a re-assessment? Flexibility is vital. Though we will’t know with certainty till the DoD formally defines a serious change, it’s unlikely that taking some foundational steps will impose a re-assessment requirement.
All DIB firms at the moment pursuing CMMC certification ought to base their preparation on Rev. 2 till the DoD formally publicizes a agency Rev. 3 requirement. Firms ought to comply with the NIST SP 800‑171A evaluation information. Every requirement in Rev. 2 has corresponding evaluation targets that have to be glad to contemplate the requirement carried out. Whereas 800‑171A doesn’t explicitly label ODPs, it consists of targets often called “defines” and “specifies” that can be utilized to set parameters similar to password size or session timeout period.
Then, begin on a Rev. 3 migration plan, and even begin voluntarily shifting to Rev. 3 earlier than the DoD’s rule-making is full. Implementing the NFOs outlined in Rev. 2 Appendix E may also present a head begin on addressing most of the new Rev. 3 targets. These steps will take time and permit DIB members to maintain shifting as exact official steering is being developed. All through, all DIB members ought to proceed monitoring for updates and maintaining observe of official DoD rule-making round Rev. 3 adoption.
Whereas DIB members must navigate some uncertainty, cyber threats have all the time been a shifting goal, and addressing them via correct cyber protection is a actuality of recent enterprise. Your entire DIB should do not forget that CMMC compliance is a continuing journey that’s mandatory to guard our warfighters and our nation.
Ned Butler is lead CMMC licensed assessor at Redspin.
Copyright
© 2026 Federal Information Community. All rights reserved. This web site just isn’t supposed for customers positioned inside the European Financial Space.
