New! NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
.jpg?ext=.jpg)
Why Everyone is Talking About NIST SP 800-171r3
Revision Three is More Robust
It looks like the newest edition of the 800-171 standard is going to be more expansive than the current version. This relates to CMMC because CMMC is a certification that a third party has assessed a company and found it to be compliant with NIST 800-171. A NIST standard with more controls will mean companies will have to do more to earn that CMMC certification.
Which Revision Should Be the Priority?
When the proposed CMMC 2.0 rule was published, many noticed that NIST 800-171r2 was mentioned specifically numerous times. There have been a lot of questions around how long CMMC certification will be based on revision two versus revision three. The DFARS clauses dealing with CUI do not specify any one version of NIST 800-171. They simply say to adhere to the current version. Contractors want to know what they should be prepared for when they call in their C3PAO for an assessment.
How Long Will the Pivot Time Be Between Revisions Two and Three?
Right now, if your organization is on a compliance journey, you are pursuing compliance with NIST SP 800-171r2. You may have heard that the new version is due to be released sometime during this second quarter, and, indeed, NIST just announced that it is expecting to publish in May 2024.
We have been asked whether companies should hold on complying with revision two and just wait for revision three, but right now, the best move is to work against the 110 controls of revision two. The big question is when everyone will have to switch to revision three and how that will work. Will CMMC reflect NIST SP 800-171r3 once it has been published? Will manufacturers have a year or two to fill any gaps between revision two and revision three? These are understandably hot topics.
Do Not Stop!
We definitely suggest you do not cease working on your NIST compliance while waiting to see what transpires with the new version. Even if you do not have to comply with revision three for a couple of years, you need to be in compliance with revision two now, and you will need to be in compliance in order to earn a CMMC certification.
Questions?
Do you have questions about all of these revisions and controls? Feel free to contact us. We are happy to schedule a meeting with you to learn more about your organization and what pathway may be best for you.