How NIST 800-171 Revision 3 may impact CMMC

While the Department of Defense (DOD) did remove some of the controls known as the Delta 20 and process maturity elements when it announced Cybersecurity Maturity Model Certification (CMMC) 2.0, they could still possibly reappear in CMMC. If the National Institute for Standards and Technology (NIST) includes them in a new revision of Special Publication (SP) NIST 800-171, they are likely to appear in CMMC. Might the DOD’s lessons learned from CMMC encourage NIST to include these practices as part of the next revision?

What contractors preparing for CMMC should do

NIST is likely to revise SP NIST 800-171 later this year. What is expected to appear in that revision? Many speculate it will include the CMMC 1.0 Delta 20, a list of 20 suggested practices for contractors that was originally added to 800-171 in CMMC.  

The CMMC Third-Party Assessment Organization (C3PAO) Forum, a council of C3PAOs that publishes guidance and positions that help establish norms, shared its view that many of the Delta 20 should end up in the next revision of 800-171. The details of C3PAO’s official position are available in C3PA0's Delta 20 Recommendations on its website. 

Some suggest the process requirements might also make a comeback in Revision 3 of NIST 800-171, which were derived from NIST 800-53 and previously contained policy-type controls categorized as nonfederal organization (NFO) controls. The choice to not include NFO controls stemmed from the assumption that corporations would already have established policies and procedures. However, many are now saying the inclusion of those items in corporate policies and procedures is neither guaranteed nor consistent and, therefore, policy controls should be added to Revision 3 of SP 800-171. If not directly added as new controls when NIST modifies the companion assessment guide (NIST 800-171 A), the addition of new assessment objectives focused on policies and procedures could also occur. 

Currently, 49 of the 110 security controls included with 800-171 have assessment objectives to “define” something, which indicates a strong need for policy and procedure. There is no need to mandate the format and exact content of policies in the way CMMC 1.0 assessment guides did, but additional policy would be helpful to ensure controls stay in place over the three-year window of the certification.

How to respond

• First and foremost, contractors not already compliant with NIST 800-171 Rev. 2 and the requirements of CMMC 2.0 should focus on continuing with efforts to implement the controls. 
• Organizations that are remediating a gap related to one of the Delta 20 or policies and procedures should consider adding these items in case they later reappear.
• Organizations ready and confident that they are compliant with NIST 800-171 are encouraged to implement the Delta 20. Organizations should also update or create policies and procedures related to the 61 controls that are not already required per the CMMC assessment objectives.  Adding these will mean you are covered if Rev 3 adds such requirements but also helps to ensure your program is more mature and consistent. Also, these items are good for security and will help future-proof your compliance program.

For more information, contact our team or tell us about your CMMC assessment needs.