Federal contractors should also be bracing for significant changes in their cybersecurity obligations. In May of 2023, the National Institute of Standards and Technology (NIST) issued a draft update to NIST SP 800-171, which details the cybersecurity benchmarks that will be imposed upon federal contractors whose contracts require them to access certain types of government information. This can include extremely basic data sets and information to Controlled Unclassified Information. This update is part of a government-wide effort to protect federal data on non-federal systems or organizations and to combat the rising tide of cyber-attacks.
In concert with NIST’s updated benchmarks, the US Department of Defense is expected to begin implementing its revised Cybersecurity Maturity Model Certification (CMMC) program in 2023. This new model consolidates the previous five-level model into three levels, with heightened standards for contractors’ progression to each security level. Compliance with CMMC will be a contract requirement once the rulemaking process is completed and will require federal contractors to confirm that their IT policies, standards, and procedures are up-to-date and that all of their cyber assets are known and properly categorized.
It is also likely that federal agencies will continue moving towards a “zero trust” approach, which means that instead of relying on a secure network perimeter, the focus will be on security protocols applying to discrete users, assets, and resources. Many federal contractors will need to update their cybersecurity protocols, including potentially implementing two-factor authentication, biometric access controls, and segregation of data in order to comply. Finally, upon incorporating these changes, the US Department of Defense will require its contractors to have their compliance with CMMC protocols verified by third party assessors, who will be accredited by the Cyber Accreditation Body (often referred to as Cyber AB).
Assessors, in addition to assigning the contractor a “level” based upon its degrees of compliance with CMMC benchmarks, will spotlight areas of improvement and provide feedback to the contractor. These revisions to the CMMC model and benchmarks will likely impose additional costs on federal contractors to obtain the required verification, as well as potential delays in identifying available third-party verifiers. This is an ideal time for federal contractors to take proactive steps to push their IT systems into compliance with recent updates by NIST and with the CMMC protocols. Contractors who fail to take initiative run the risk of being lost in the churn of similar latecomers attempting to rush certification.