The Schellman Blog

In the latest revision of documents pertinent to the ongoing CMMC countdown, NIST SP 800-171 R3 has been released. Though there were only a handful of changes in this new version, there were some significant ones regarding the assessment practices and their presentation that those monitoring the progress of CMMC should know.

With the introduction of the Cybersecurity Maturity Model Certification (CMMC) program, contractors working with the U.S. Department of Defense (DoD) will be required to meet a certain level of cybersecurity maturity ensuring the protection of the involved sensitive information and data, specifically controlled unclassified information (CUI) and federal contract information (FCI).

On October 27, 2023, the Office of Management and Budget (OMB) released a draft memorandum titled Modernizing the Federal Risk Authorization Management Program (FedRAMP). Savvy readers may have noticed the parallelism of the 2011 and 2023 FedRAMP memorandums to those for FISMA in 2002 and FISMA 2014—for FISMA, the latter memo focused on "Modernization" in comparison with the former one regarding "Management."

Back in August 2022—while rulemaking for the Cybersecurity Maturity Model Certification (CMMC) was ongoing (as it still is)—the Joint Surveillance Program (JSP) was sanctioned by the DoD and CyberAB as an interim step in the CMMC program that allowed organizations to pursue a formal DIBCAC High (NIST 800-171) assessment.

The Cybersecurity Maturity Model Certification (CMMC) is a framework that aims to better secure federal contract information (FCI) and controlled unclassified information (CUI) that is stored, processed, or transmitted by defense contractors and the entire defense industrial base (DIB). American defense data is incredibly valuable, and that includes highly sensitive personnel records and technical data. As such, the DIB continues to be a prime target for exploitation, and because a leak of such information could endanger the lives of government personnel and service members—not to mention the risk of billions of financial losses. Now, with the enactment of 32 CFR and 48 CFR, the Department of War (DoW) has established the legal basis of CMMC. As a premier CMMC third-party assessor organization (C3PAO) among the first authorized, we’re going to provide a complete introductory overview of this newer certification, including insight into what it constitutes, who will need CMMC, the requirements, and how to get certified so that as we approach the phased enforcement dates, you’ll be able to proceed with confidence.

To become FedRAMP authorized, you must pass the initial, rigorous FedRAMP assessment. But in the following years, you’ll also need to complete Annual Assessments performed by a third-party assessment organization (3PAO) if you’re interested in maintaining that compliance.

With the new SEC Cybersecurity Disclosure Rule requiring both the reporting of material cybersecurity events and the disclosure of cybersecurity programs for public companies, those affected are taking a closer look at cybersecurity frameworks that—while previously considered optional or “nice to have”—could help their organization meet the new regulatory requirements.

The National Institute of Standards and Technology (NIST) has made a significant move in introducing its groundbreaking AI Risk Management Framework (AI RMF). Designed to empower organizations and individuals with comprehensive risk management guidance, the AI RMF aims to create a world where AI can thrive responsibly.