The Department of Defense published the “Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward†document and outlines the CMMC background and way forward based on the Department’s internal review. Various modifications to the CMMC model are expected to take effect in the future.

One of the modifications discussed is “Eliminating level 2 and 4 and removing CMMC-unique practices and all maturity processes from the CMMC modelâ€. So that means no more policies and procedures, right? Not so fast.

Let’s look in NIST SP 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems. On page 8, there’s a text box called “Cautionary Note†that states:

“The requirements recommended for use in this publication are derived from FIPS 200 and the moderate security control baseline in SP 800-53 and are based on the CUI regulation….the tailoring criteria applied to the FIPS 200 requirements and SP 800-53 controls are not an endorsement for the elimination of those requirements and controls…â€

As we dig into FIPS 200: Minimum Security Requirements for Federal Information and Information Systems, under “Minimum Security Requirements†it states:

“Policies and procedures play an important role in the effective implementation of enterprise-wide information security programs within the federal government and the success of the resulting security measures employed to protect federal information and information systems. Thus, organizations must develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard and must ensure their effective implementation.â€

In short, the “Basic†requirements in NIST SP 800-171 assumes your organization uses policies and procedures as a security control to “govern effective implementations.†Therefore, the original CMMC model included these “maturity processes†to highlight the expectation for policies and procedures already stated in NIST SP 800-171.

About the authors:

If you have any questions, please feel free to reach out.

Fernando Machado is the Managing Principal and Chief Information Security Officer for Cybersec Investments. Cybersec Investments is a Candidate CMMC Third-Party Assessment Organization (C3PAO) helping organizations meet compliance with NIST SP 800-171 security requirements mandated by the Department of Defense for defense contractors. Fernando has over 10 years of experience working with Department of Defense customers and holds top cybersecurity industry certifications.

Ryan Bonner is the founder and CEO of DEFCERT where he has led DFARS and CMMC compliance transformation projects for over 150 manufacturers in the Defense Industrial Base. Ryan specializes in designing CMMC implementation plans for small and medium-sized manufacturers who utilize third-party IT service providers.