While the Department of Defense (DOD) did remove some of the controls known as the Delta 20 and process maturity elements when it announced Cybersecurity Maturity Model Certification (CMMC) 2.0, they could still possibly reappear in CMMC. If the National Institute for Standards and Technology (NIST) includes them in a new revision of Special Publication (SP) NIST 800-171, they are likely to appear in CMMC. Might the DOD’s lessons learned from CMMC encourage NIST to include these practices as part of the next revision?
NIST is likely to revise SP NIST 800-171 later this year. What is expected to appear in that revision? Many speculate it will include the CMMC 1.0 Delta 20, a list of 20 suggested practices for contractors that was originally added to 800-171 in CMMC.
The CMMC Third-Party Assessment Organization (C3PAO) Forum, a council of C3PAOs that publishes guidance and positions that help establish norms, shared its view that many of the Delta 20 should end up in the next revision of 800-171. The details of C3PAO’s official position are available in C3PA0's Delta 20 Recommendations on its website.
Some suggest the process requirements might also make a comeback in Revision 3 of NIST 800-171, which were derived from NIST 800-53 and previously contained policy-type controls categorized as nonfederal organization (NFO) controls. The choice to not include NFO controls stemmed from the assumption that corporations would already have established policies and procedures. However, many are now saying the inclusion of those items in corporate policies and procedures is neither guaranteed nor consistent and, therefore, policy controls should be added to Revision 3 of SP 800-171. If not directly added as new controls when NIST modifies the companion assessment guide (NIST 800-171 A), the addition of new assessment objectives focused on policies and procedures could also occur.
Currently, 49 of the 110 security controls included with 800-171 have assessment objectives to “define” something, which indicates a strong need for policy and procedure. There is no need to mandate the format and exact content of policies in the way CMMC 1.0 assessment guides did, but additional policy would be helpful to ensure controls stay in place over the three-year window of the certification.
For more information, contact our team or tell us about your CMMC assessment needs.