Although the DoD has released more information and a pending Version 0.6 for its Cybersecurity Maturity Model Certification (CMMC), there are still unanswered questions and issues that need clarification ahead of the final plan, said McCarter partner Alex Major.
“The mad dash to get it done on an important yet still artificial deadline is probably going to cause a lot of stress in the contracting community and [defense industrial base] community,” he said.
With contractors long held to examine and rely upon NIST SP 800-171 for their cybersecurity requirements, they may be at a loss when attempting to navigate the CMMC when compared to the existing NIST requirements presently in their contracts. Despite CMMC hoping that its “Level 3” would align with existing requirements, the CMMC’s requirements do not necessarily follow SP 800-171. Moreover, some actually deviate from NIST’s stated and defined requirements.