Hi Folks,

I had a great conversation with Stacy Bostjanick (Director of the CMMC program at DoD CIO) on my podcast, and she said a few things about NIST 800-171 r3 that I thought were very interesting and wanted to share here:

1. Rulemaking for NIST 800-171 r3 has already begun

Yay for more rulemaking!

2. NIST 800-171 r3 ODP Working Group

They have been working on populating the ODPs with the DIB SCC. The next step is to send it through DoD to get concurrence on the recommendations, and then through the Federal CISO Council so that other federal agencies can (hopefully) be on the same page.

She is hoping the ODPs will be part of the rulemaking process so that everyone can comment on the ODP values.

For those who don't know, ODPs are variables in the control text (ie lock the system after [x] amount of time of inactivity).

3. DoD's intent is to allow for CMMC 2.0 assessments based on NIST 800-171 r3 environments

Stacy said that if a company was starting from scratch, she'd recommend that they implement NIST 800-171 r3, not r2.

She said they plan to issue guidance (in coordination with the Cyber AB) to C3PAOs instructing them on "how to perform a CMMC 800-171 rev 2 assessment in an 800-171 r3 compliant environment."

I followed up on this, and my understanding is that they plan to map the 800-171 r2 to 800-171 r3 controls / assessment objectives as part of this assessment guidance.

This sounds like it is in the very beginning stages, so keep that in mind. I'm not certain how long it will take for this guidance to go live. It would be a good question to ask at a CyberAB townhall.

I will say that her staff reviewed the episode before it went live, and they didn't ask for this segment to be removed, so they must be pretty certain that is the plan.

Here is the episode in case you want to see the full conversation (NIST 800-171 r3 discussion starts at 37:32): CMMC 2.0 Is FINALLY Here - What Happens Next (with Stacy Bostjanick) - Podcast - GRC Academy

Jacob Hill