Senior Consultant, Information Security Services
United StatesContact Robert
Nobody knows exactly how much time remains until the third revision of NIST 800-171 goes live. Similarly, nobody knows exactly when CMMC will become an actionable rule. In the age of the internet, there is a tendency to fill information vacuums, regardless of whether that filling is accurate or based on anything approaching reality. For defense and aerospace contractors and sub-contractors, the space is certainly being filled with updates, hypotheses, and proclamations from many different sources. How many of those sources can be trusted, however?
In the age of information, the kudos go to who breaks news first, even if the news is entirely inaccurate. In a recent Summit Up podcast, Jacob Horne discussed how many different sources had reported CMMC has gone into effect because they saw an “effective date” of August 17, 2023 when they googled the DFARS clause relating to CMMC. Naturally, CMMC being effective would be very big news, so some people went online, adopted their soapbox, and proclaimed CMMC was now in effect. Of course, that is not the case. Watch the whole podcast to have the actual truth behind these effective dates revealed.
Horne suggests these proclamations are made out of a lack of understanding about the FAR, DFARS, and CMMC. That might be the case sometimes, but what seems more likely is that numerous sources in the industry are anxious to be the first to break the news of CMMC going into effect, even if their announcements are incorrect and significantly premature. In an effort to become a relied upon resource of industry information, many individuals and organizations are instead damaging their brand’s reputation with false alarms and incorrect information.
For OSCs and C3PAO’s, among others in the industry, who need actual information about the rulemaking process, this can make an already intimidating environment seem more unstable. How can you find the grains of truth out of all of the noise?
The best idea is to seek information yourself from the most reputable sources out there. In the case of CMMC, that is going to be the Department of Defense, ultimately. The Cyber-AB is also a great resource for information that is verified. If you want to know more about the goings-on with NIST 800-171, your best bet is to go to the NIST website.
Beyond these major platforms, find industry experts who are actually involved in the rulemaking process. The CMMC Marketplace page on LinkedIn is a good source of information. NIST also has an active Facebook page, although not all posts will be relevant to NIST 800-171 as NIST is an expansive organization. Also seek out employees of CyberAB, NIST, and the Department of Defense who are involved in the rulemaking or creation process. NIST leadership is more active online than the CyberAB, but experts are still out there disseminating information that is credible and reliable.
There is a lot of confusion and anxiety around rulemaking, especially when the impact is expected to be dramatic for many smaller members of the DIB. The most important thing now and in the months to come is to remain calm. The one thing that will not change is that all organizations must have their own cybersecurity structures in order. Focusing on that solitary but very large goal can be enough to drown out superfluous noise external to your organization.
Beyond that, strive to follow reputable sources who put information into the pubic sphere in a calm and collected manner. It is not hard to tell these days who is seeking attention versus who is seeking to disseminate important information.
And, of course, if you would like to have an objective conversation with an outside expert about your company’s NIST/CMMC journey, you can always reach out to us.