You may remember July 2023 as an unexpectedly thrilling month in the cybersecurity world. The draft documents for the much-anticipated Cybersecurity Maturity Model Certification (CMMC) 2.1 were unintentionally published and, even though they were hastily retracted, it was not before we got a hefty dose of exciting insight on what the future may hold.
Coming from the Department of Defense (DoD), the leaked documents highlight a crucial process where the feedback obtained from the Defense Industrial Base (DIB), the CyberAB, and the wider CMMC ecosystem may be accounted for. One thing that's clear from this unexpected preview is that the march towards a more secure digital landscape is far from slowing down—the government is keeping the gears of CMMC in full motion.
Let's get into more detail about the potential changes that could come with the transition from version 2.0 to 2.1, based on the brief accidental reveal.
One of the standout revelations from the leaked documents is what appears to be a much-needed clarification on the role and definition of an ESP. An ESP—most commonly recognized as a Managed Service Provider (MSP), a Managed Security Services Provider (MSSP), or any organization dealing with Controlled Unclassified Information (CUI) or Security Protected Data for the Organization Seeking Certification (OSC)—has always been somewhat ambiguous in terms of context and guidelines. The forthcoming version of CMMC looks set to put an end to this ambiguity, which could be a huge relief for organizations wrestling with correctly defining their environments.
According to the leaked version, the definition of what constitutes an ESP is expected to form part of the final rule-making under 32 CFR 170. This precision should provide much-needed clarity and guidance that organizations have been seeking when it comes to properly scoping their digital environments according to the CMMC.
Perhaps more eyebrow-raising is the implication that ESPs must secure a degree of certification akin to that of the OSCs they're serving—a shift that is causing a degree of head-scratching across the industry. It's a significant game-changer, particularly as most ESPs, like CSPs, are not government contractors and so have not previously been beholden to the same strict regulations, such as those outlined in Defense Federal Acquisition Regulations (DFARS) 252.204-7012.
So, the million-dollar question raised by this potential new requirement: might ESPs need to develop and demonstrate compliance programs in line with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171? The answer could very well be a resounding 'yes'.
Despite these potential changes, the bedrock of cybersecurity requisites remains as it has been. The basic requirements of DFARS 252.204-7012 and NIST SP 800-171 revision 2 continue to stand strong, underpinning the CMMC. So, no matter what happens, these are foundations that organizations will still have to build on. We’ve written extensively in the past on DFARS 252.204-7012, and many of the basic requirements, but here’s a helpful list:
The implication of these leaked changes goes beyond simply impacting ESPs and OSCs. Offering a hint at the wider reverberations, we can expect the landscape of cybersecurity education to be overhauled, especially for professionals certified under the CyberAB Cybersecurity Assessors and Instructors Certification Organization (CAICO).
Reflecting on the shift from CMMC 1.0 to 2.0, we remember that significant training revisions were necessary—a process likely to be repeated with the introduction of CMMC 2.1. But this time, several additional certifications, like the Certified CMMC Professional (CCP) and the Certified CMMC Assessor (CCA), may need factoring in during the review and update of exams.
One thing we can say with certainty from these anticipated changes: cybersecurity, just like technology, is ever-evolving. Ensuring to keep the CMMC model and its documentation updated with contemporary technologies, solutions, and threats is not just an option—it's a necessity. We've already witnessed a surge of Executive Orders focusing on cybersecurity matters, regular updates to the NIST publications, and now these potential advancements to CMMC. It's clear that the requirements for the DIB will perpetually evolve and adapt, reinforcing the lifeline of cybersecurity in the modern age.
Here at Sharetru, we've been a beacon in the cybersecurity space, leading the way in helping organizations fulfill NIST 800-171 requirements for file sharing since 2018. Our credentials are not light; in fact, we've accomplished our FedRAMP moderate equivalency System Security Plan (SSP) that aligns with DFARS 252.204-7012. That's a clear demonstration of our commitment to your security.
Should your current data transfer routine already involve Sharetru, there's more good news for you. You're already in an exceptional position to meet future demands, even before they become official. Our systems already adhere to the most stringent standards, ensuring you're ahead of the pack when new regulations roll out.
If you're yet to benefit from Sharetru's capabilities, it's high time to consider us as your CMMC go-to file transfer solution. Aligning with Sharetru means a more seamless journey to compliance with evolving cybersecurity regulations.
Looming changes, such as the potential need for External Service Providers (ESPs) to attain certain levels of certification, are on our radar. Rest assured, should this development materialize, Sharetru is poised to adapt swiftly, showing unwavering commitment to maintaining the trusted partnership we've built with our clients. Staying compliant in an ever-evolving cyber landscape is easier when you're aboard the Sharetru ship.