BREAKING NEWS from “As the CMMC Churns”….  There are now 4-Ways to Demonstrate Compliance.

The Cyber-AB, with DoD’s implicit blessing, is now allowing Authorized C3PAOs to conduct formal NIST SP 800-171 Assessments for organizations both inside and outside of the Defense Industrial Base. This is the newest 4th way to demonstrate compliance.

This is great news because DIBCAC Joint Voluntary Surveillance Assessments (JVSA) are constricted by DoD Lawyers to Prime contractors and companies identified in the DoD contract.

NIST SP 800-171 Assessments by an Authorized C3PAO now provide organizations with a separate method to demonstrate conformity to their DIB partners and grow their business. This extends to International DIB companies, MSPs, MSSP, and even some Cloud Service Providers will benefit.

Catch-22 is that DoD doesn’t want this to bollix up CMMC while it is in rulemaking. So, officially from the Cyber-AB, “Assessments of the conformity to the NIST SP 800-171 Standard by Authorized CMMC Third-Party Assessment Organizations (C3PAO) do not convey any reciprocity or advanced standing with the United States Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) initiative, nor will they result in a certification recognized by the DoD of the CMMC Accreditation Body Inc.”

Contact Peak InfoSec if you are interested in a JVSA, NIST SP 800-171 Assessment, or just getting on our CMMC queue.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites