With so many places to go for National Institute of Standards and Technology (NIST) updates, it can be challenging to know if you have the most up-to-date information. A source like NIST.gov may supply the “official word,” but necessary information is often missing. Tracking down those knowledge gaps may land you on an online networking platform or professional organization, where the industry folks can be found.
That was the exact case for a recent Request for Information (RFI) posted by NIST.gov about the critical topic of cybersecurity risk frameworks. The “cool kids” at the table refer to it as NIST 800-171 (don’t go down the rabbit hole of defining “cool” because that’s where it gets subjective). The website states if you would like to respond to the RFI via written comment, you can mail (yes, mail) responses to :Cybersecurity Framework, National Institute of Standards and Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD 20899. Yes, before you ask, they do give an email address to send online submissions. My question to you out there, is anyone in today’s world of 2022 sending in written comments to an RFI, or to anything, really? Is a written response option actually necessary?
“Dear government, please provide me a stamp so I may send you my hand-written love note of confusion to your framework agreements. Sincerely, everyone.”
The Best Source of Information on CMMC
Peer networks are key for those who hope to truly understand the Cybersecurity Maturity Model Certification (CMMC) and what these framework guidelines truly are. Look for those companies that are in the Defense Industrial Base (DIB) that are tirelessly searching by the minute for the latest update on government guidelines. Those are the people who are asking the hard-hitting questions and challenging the government to solve their own issues before asking the DIB to solve theirs. Although I am a very firm believer in outsourcing happiness, companies are not going to be able to do much outsourcing when it comes to internal cyber hygiene.
My caution, and please heed my warning, if you find ANYONE selling you a tool to help you get prepared for CMMC, please send thoughts and prayers to their families, but think twice before you purchase any CMMC compliance framework. Ask yourself how someone can give you a reference, tool, or scale, if the government hasn’t even released the parameters yet? But for one easy payment of $500, we can help you get started!
Unfortunately, silver bullet solutions always look better than they actually are. By all means, tighten up your cybersecurity frameworks. But if you’re searching for a CMMC compliance tool today, you’re likely a year too early to be purchasing something that can deliver on the promise.
All in all, it is looking like this time next year, May 2023, is when we might start to see the guidelines written in semi-permanent ink and when the government (or your prime) starts asking for your “certificate.” My big question to the government…will they be mailing these certificates, or will an encrypted email suffice? Do we think the certificate is going to contain any Personally Identifiable Information (PII) or dare I say Controlled Unclassified Information (CUI)? If we are going to be asked to retrieve from DoD SAFE, I am going to move to Nepal, open a small business, and take people one way up a mountain. That might be a dramatic response, but these are desperate times and the dramatics are valid (in one person’s opinion).
If you aren’t too sure what that means, don’t worry, you’re in good company. No one does, and we are all faking it for now. The Beach Boys said it best… “help me Rhonda, help help me Rhonda.” Only time will tell if DoD will let another policy come between you and CMMC. For now, if you’re waiting to see – you’re in good company.