DoD Contractors Focus on NIST While CMMC Is in Holding Mode

    The Department of Defense (DoD) pays close attention to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST framework is a set of standards for guiding cybersecurity efforts that include five core functions: identity, protect, detect, respond and recover.

    This framework provides organizations with a detailed understanding of how they can improve their security posture. DoD contractors are getting more involved in this effort as CMMC is put into holding mode due to recent leadership changes.

    Current Focus for DoD Security

    The National Institute of Standards and Technology (NIST) framework has been the center of many security conversations for a while now is not going anywhere. But, instead, it was about to become an even more important subject in 2017.

    “[The] NIST Cybersecurity Framework ” explains why this is so critical to government entities at all levels right now, including how it applies specifically to DoD defense contractors both nationally and internationally. It also provides insight into what steps cyber professionals should take next for implementing these guidelines within their organizations. Additionally, there will continue to be new certifications from the CMMC available throughout the year and changes in certification requirements based on compliance with specific industry standards.

    For example, the CMMC updated its Certified Cloud Security Professional (CCSP) certification to align with NIST’s guidelines for improving cloud security back in May 2016. This is just one of many examples that show how much work still needs to be done by both government agencies and their contractors to secure sensitive information on a national level. However, there are some geographical differences regarding cyber legislation so far as well.

    For instance, Vermont was the first state whose legislature voted for mandatory breach notification laws. Other states have also proposed or passed bills to protect data privacy during this same timeframe better, encouraging more conversations about legal requirements surrounding sensitive information protection even further throughout 2017. Of course, there will likely be changes since these are new laws, but they are a clear indicator that the government will not stop pushing for more robust security measures until it is achieved.

    For example, the Federal Information Security Modernization Act (FISMA) was updated in December 2015. So additional audits and restrictions were added while compliance with either NIST SP 800-171 or ISO 27001 standards became mandatory for all businesses working with protected information on an international level by January 2017. In addition, CMMC contracts have since begun requiring these certifications, which means many contractors may need to go through this same training if they haven’t already.


    The Delay of CMMC

    CMMC is a crucial part of the DoD’s cybersecurity strategy, and its delay could have wide-ranging implications for government contractors and their customers. The Defense Department has been diligently working on establishing this framework since 2014, with numerous high-level officials commenting about the critical need to incorporate it into all federal agencies as quickly as possible. In fact, in August 2016, it was reported that DHS would begin implementing CMMC within six months—a goal that wasn’t met.

    NIST 800-171

    NIST 800-171 provides the set of standards that must be met for controlling access to physical security systems within federal government agencies. Under NIST 800-171, contractors must have their information technology established by a CMMC (Certified Member of Management Control). The CSO believes it’s essential to hold contracts with companies that have achieved CMMC status to ensure compliance in the event of an audit.


    The volume of DoD solicitations and awards that specifically address NIST standards has declined since FY 2016. So the rate at which CMMC is issuing new guidance may be slowing, but there’s still plenty to keep contractors busy and earn money.