Page 143 - Cyber Defense eMagazine September 2023
P. 143
In the cyber world, where threats are perpetually evolving, ambiguity can be a catastrophic recipe.
Contractors require certainty to safeguard themselves and their partners effectively, ensuring robust
protection of vital national interests. The present scenario, wherein the details of the requirements remain
nebulous, does not allow for such effective security measures to be put in place.
Moreover, the confusion not only causes an operational hindrance but also stokes the flames of anxiety
among industry players. The lack of clarity can result in potentially avoidable mistakes, furthering the risk
exposure of the entire supply chain.
A Race Against Time Amidst Unclear Directives
The vacuum of precise information or guidelines concerning the Level 3 requirements has precipitated a
frantic race against time among contractors. With a summer deadline for Level 3 announced, businesses
find themselves in a maelstrom as they grapple with the lack of specifics.
Adding to this complexity, the National Institute of Standards and Technology (NIST) has released a draft
revision to the SP 800-171. Revision 3's industry comment session ended on the 15th of July and is
looking to have the revision ratified in late 2024 or early 2025. This not only affects the CMMC standard,
as Levels 1 and 2 are solely based on the NIST SP 800-171 standard, but also increases the number of
controls from 110 to 138, introducing new Organizational-defined Parameters (ODP). The Rev 3
standard's introduction of ODP allows for a company to define cost and effort based on their size and
budget, somewhat alleviating stress for smaller companies without the budget for high-dollar security
infrastructure.
This scenario sets up an alarming situation where businesses are preparing for a certification process
that might span anywhere from several months to an entire year. Without definitive guidance, businesses
are forced to speculate, leading to increased stress levels and potential oversights that could have severe
repercussions. Furthermore, the changes to the SP 800-171 standard present additional challenges, as
businesses must now adapt to new controls and guidelines.
Such frantic preparation also eats into valuable resources, both human and financial. The inherent
uncertainties can lead to companies allocating more resources than necessary, leading to inefficiencies
that strain the entire process. The looming changes to the SP 800-171 standard further compound these
issues, making the race against time even more critical.
The Ripple Effects: Concerns over Auditors and Industry Implications
The impact of the delays and uncertainties extends far beyond the immediate circle of the contractor
community. It causes ripples throughout the cybersecurity industry. There is growing concern about the
readiness of CMMC auditors and the quality of training they receive. With the forthcoming new
requirements, there is apprehension regarding the auditor's preparedness and the effectiveness of their
assessments.
Cyber Defense eMagazine – September 2023 Edition 143
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.