ISO, RMF, CMMC, CMMC 2.0, DFAR, NIST 800-171, PCI, HIPAA, CMS, CCPA, GDPR. Dang! It makes me want to jump up screaming, “BINGO!” Or, as the old ladies used to scream when I was stationed in Maine some years ago, “BEANO!” All these years later, I still have to pause before yelling “Bingo!”
Figuring out which cybersecurity model you need to follow shouldn't be as hard as trying to decide whether to scream “Bingo!” or “Beano!” But it is one of those things that make IT and security teams want to pull their hair out.
In the late 90s came HIPAA. My first exposure to compliance requirements was as a Naval Officer editing at the early HIPAA drafts.
I started doing ISO and BS7799 audits in the early 2000s with Cisco. Traveling around the world, my team and I audited dozens of sites, using BS7799 (the British version of ISO 7799) as our guidepost.
Here's my point: I've been doing this for a LONG time. Technologies come and go. Best practices ebb and flow to meet the changing tide of need, but compliance has been the North Star that every CISO can rely on for funding. It's how I set my guidepost, regardless of the standard.
The Problem with CMMC
When I had the opportunity to work with the Department of Defense Cyber Crime Center (DC3), I jumped at it. We wanted to provide everyone a baseline, a common language, and a more standardized means of protecting themselves from cybersecurity threats. My framework preference has always been ISO combined with a CMM-SVC model. ISO provides effective security standards. CMMI-SVC gives us process and longevity. CMMC, it seems, was an attempt to marry these two standards.
However, after several years in the Washington, D.C. policy mill, CMMC was delivered. Unfortunately, it became clear that the government hadn’t considered what small companies deal with daily. CMMC had traces of ISO, RMF, NIST 800-171, and more. And, because of the all-or-nothing requirement (at the time), it has forced most small, inexpensive, innovator companies out of the market (the SBA told us at a recent conference, as many as 43%!).
As of November, CMMC 2.0 was announced. With few exceptions, it is now identical in security requirements to NIST 800-171. DFARS Clause 252.204-7012, dated SEP 21, 2017, is equivalent to CMMC 2.0, Level 2. You can be sure, however, that CMMC 2.0 will change many times before it becomes law.
So, what should you do? – Get prepared for CMMC by complying with DFARS and NIST 800-171 NOW!
- DFARS Clause 252.204-7012 is LAW. It calls out specifically the requirement to implement NIST 800-171. CMMC 2.0 will change dozens of times between now and when it becomes law, but you will be ready when it does if you take this approach.
- DIB companies, large and small, will be audited by the government (DIB-CAC) for compliance with NIST 800-171. If companies self-attest and are found lacking, there's a high likelihood that they'll be violating the Fraudulent Statements Act, incurring fines and losing the ability to bid on contracts. Even worse, the executive who signed the attestation could face jail time.
The CMMC Solution
Focus your dollars and efforts on complying with NIST 800-171. Why?
NIST 800-171 is already required.
NIST 800-171 is also CMMC 2.0 (Advanced, Level 2). Anything done for today's requirement will very likely not change in the final version of CMMC 2.0. Instead of spending money and resources on CMMC compliance, focus your resources and time on NIST 800-171 so that when the time comes, you can easily crosswalk it with CMMC.
Crosswalking from NIST 800-171 to CMMC is easier than you think.
Many of NIST 800-171 controls can be easily crosswalked with CMMC (and even with ISO, HIPAA, RMF, and more). By using a cybersecurity compliance management tool, MSSPs and contractors can not only simplify their NIST 171 compliance but also be prepared when CMMC is finalized.
We all want to win – at BINGO, business, and cybersecurity compliance. And the best way to do that is to build, manage and report on ALL your frameworks from NIST to ISO to CMMC with a partner and software solution that makes that easy. It is time to find partners who know the ropes and understand the sea of letters so you can win the compliance game.
Trusted Internet is a managed security service provider (MSSP), specializing in Fortinet technologies, helping companies through their government compliance hurdles. What we offer is simple; We install the firewalls, endpoints, training, etc. We then hand you a spreadsheet showing your SPRS score based on what we installed, with an attestation of what we believe to be your SPRS score. We do this at no extra charge, saving tens to hundreds of thousands of dollars in upfront consulting fees.
Interested in learning more about our CMMC Consulting? Contact Trusted Internet today.
CMMC Simplified in Apptega
With Apptega, MSSPs, contractors, and subcontractors are simplifying NIST 800-171 (and CMMC) compliance.
Just enter your framework information, and Apptega will automatically map your controls to NIST 800-171 for your SPRS score, or later, for CMMC 2.0.
Interested in learning more? Watch this 3-minute video demo.