In  the  cyber  world,  where  threats  are  perpetually  evolving,  ambiguity  can  be  a  catastrophic  recipe.
            Contractors  require  certainty  to  safeguard  themselves  and  their  partners  effectively,  ensuring  robust
            protection of vital national interests. The present scenario, wherein the details of the requirements remain
            nebulous, does not allow for such effective security measures to be put in place.


            Moreover, the confusion not only causes an operational hindrance but also stokes the flames of anxiety
            among industry players. The lack of clarity can result in potentially avoidable mistakes, furthering the risk
            exposure of the entire supply chain.



            A Race Against Time Amidst Unclear Directives

            The vacuum of precise information or guidelines concerning the Level 3 requirements has precipitated a
            frantic race against time among contractors. With a summer deadline for Level 3 announced, businesses
            find themselves in a maelstrom as they grapple with the lack of specifics.

            Adding to this complexity, the National Institute of Standards and Technology (NIST) has released a draft
            revision to the SP 800-171. Revision 3's industry comment session ended on the 15th of July and is
            looking to have the revision ratified in late 2024 or early 2025. This not only affects the CMMC standard,
            as Levels 1 and 2 are solely based on the NIST SP 800-171 standard, but also increases the number of
            controls  from  110  to  138,  introducing  new  Organizational-defined  Parameters  (ODP).  The  Rev  3
            standard's introduction of ODP allows for a company to define cost and effort based on their size and
            budget, somewhat alleviating stress for smaller companies without the budget for high-dollar security
            infrastructure.

            This scenario sets up an alarming situation where businesses are preparing for a certification process
            that might span anywhere from several months to an entire year. Without definitive guidance, businesses
            are forced to speculate, leading to increased stress levels and potential oversights that could have severe
            repercussions. Furthermore, the changes to the SP 800-171 standard present additional challenges, as
            businesses must now adapt to new controls and guidelines.

            Such  frantic  preparation  also  eats  into  valuable  resources,  both  human  and  financial.  The  inherent
            uncertainties can lead to companies allocating more resources than necessary, leading to inefficiencies
            that strain the entire process. The looming changes to the SP 800-171 standard further compound these
            issues, making the race against time even more critical.



            The Ripple Effects: Concerns over Auditors and Industry Implications

            The impact of the delays and uncertainties extends far beyond the immediate circle of the contractor
            community. It causes ripples throughout the cybersecurity industry. There is growing concern about the
            readiness  of  CMMC  auditors  and  the  quality  of  training  they  receive.  With  the  forthcoming  new
            requirements, there is apprehension regarding the auditor's preparedness and the effectiveness of their
            assessments.






            Cyber Defense eMagazine – September 2023 Edition                                                                                                                                                                                                          143
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.