There are a lot of changes coming to NIST 800-171 and CMMC. A LOT. The big problem here is that the threats are moving fast and hard, and most companies are STILL ill-prepared to deal with them. You can be the most prepared shop out there, but you will still only be as secure as your most insecure supplier. In order to combat this, the latest updates to NIST 800-171 and CMMC will include Supply Chain Risk Management (SCRM) where you will have to have a plan to manage the compliance of YOUR supply chain. This is going to be a challenge, but you all know we have been harping on this for years.
Another change to NIST 800-171 and CMMC is that your Managed Service Provider (that’s us) will have to have a Service Level Agreement with you to include that we also abide by the security requirements for the protection of CUI. We have been anticipating this change, and it is a good one. It means IT companies assisting with “compliance” MUST MEET THE SAME STANDARDS.
There are a lot more changes, and we will be sending out a summarized update soon to all our DoD Compliance customers.