These days, defense contractors need to stay nimble where compliance is concerned. As technological threats advance, the need for clarity, specificity, and simplicity increases, leading to changes in the regulations that govern contractor cybersecurity.
A recently released US Department of Defense (DoD) memo has spurred rumblings that the underlying NIST framework on which the DoD-mandated CMMC (Cybersecurity Maturity Model Certification) is based might be about to change.
Currently, CMMC 2.0 is built on NIST SP 800-171 Revision 2. The DoD’s publication - and general speculation – leads us to believe that a change to Revision 3 is imminent.
What will this mean for defense contractors anticipating their CMMC 2.0 certification? Let’s find out.
What’s the Difference? NIST 800-171 Rev 3 vs. Rev 2
Revision 3 of NIST SP 800-171 was finalized in May 2024, replacing the previous Revision 2 that rolled out in 2020 (updated 2021).
The move consolidated requirements from 110 to 97, and made a few significant changes:
It’s now up to date with the current NIST SP 800-53 Revision 5: Using SP 800-53 as the single source of authority for security requirements, SP 800-171 now falls in line with the previous standard by introducing more specificity in language, bringing in organization-defined parameters, and adding three new control families.
While SP 800-171 applies to non-federal organizations (contractors) that transmit Controlled Unclassified Information (CUI), SP 800-53 was designed solely for federal entities.
There are no more NFO controls: Under Revision 2, NFO (Non-Federal Organization) controls constituted “basic security expectations” that federal contractors were to already have in place. Because no further guidelines were given for maintaining these standards, many defense contractors failed audits because of a failure to document or implement them properly.
The confusion has been eliminated by making all requirements explicit in Revision 3.
It introduced new Organization-Defined Parameters (ODPs): ODPs are “fill in the blank” opportunities in which non-federal entities can customize Revision 3 security guidelines to their individual environments.
For example, 3.1.1.f requires organizations to “Disable system accounts when...The accounts have been inactive for [ODP].”
The contractor determines the timeframe in this case. However, the DoD’s memo recently outlined specific (though non-mandatory) values for those ODPs, which defense contractors can follow if they choose.
- There are three new control families (PL, SA, SR): Revision 2 had 14 control families; Revision 3 has 17. The three new ones are Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR)
In addition, Revision 3 extends key data security requirements for external service providers and provides 19 new requirements covering areas not addressed before.
What Revision 3 Means for Defense Contractors
Currently, the CMMC 2.0 requirements that defense contractors are required to follow are still based on Revision 2. However, with the DoD’s published memo outlining specific ODP values, speculation is high that a transition to Revision 3 will be happening soon.
For now, what that would mean is:
Defense contractors should define their own individual ODPs or look to the DoD’s memo for guidance.
Contractors need to implement the 3 new security controls. For those that have already complied with CMMC 2.0, several elements of PL and SA are already in place. Several more, however, are not, as are none of SR.
Non-federal organizations need to ensure that the requirements housed previously under ambiguous NFOs are now explicitly put into effect. These may mean the difference between
Early Transition Help from Fortra
As government contractors look to make the leap from NIST SP 800-171 Revision 2 to Revision 3, Fortra is here to help.
Although the latter version is not yet required for CMMC 2.0, it would be wise to implement impending changes now. First, it provides additional clarity, security, and chances of success for the entity seeking certification. It also prevents organizations from wasting their time, having to re-tread ground, create policies, and codify changes that are just going to change anyway.
Fortra provides tools, services, and expertise to make this transition easier. Our experts are skilled in cybersecurity compliance issues (both public and private sector) and can perform gap assessments that define how far you are from where you need to be.
Tailor security controls to predefined requirements, leverage our state-of-the-industry solutions to carry out data security goals, and perform continuous compliance monitoring so unauthorized changes won’t jeopardize compliance—or sensitive information.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
