CMMC & NIST 800-171: Convergence, Compliance, and Costs

The Department of Defense Cybersecurity Maturity Model Certification (CMMC) program is close to becoming law: requirements are expected to start to appear in defense contracts in early 2025. At its core, CMMC Level 2 is a validation by a third-party assessor that your institution is protecting CUI. The good news is that the security controls required at CMMC Level 2—which 95% of organizations that handle CUI need to achieve—completely converge with NIST 800-171 controls required since 2017. But self-assessment of NIST 800-171 has been permitted, and generally compliance has been weak. That will change under CMMC. This session will offer up-to-date information on CMMC and focus on how to achieve NIST 800-171 and CMMC compliance efficiently and cost effectively. Panelists will also address how cybersecurity professionals can work with campus leaders to build a culture supportive of raising cybersecurity levels and achieving compliance. If you’ve been stalling on CMMC, it’s time to get going and get it right. Currently two institutions that we know of—Penn State and Georgia Tech—are under DoJ investigation for falsely claiming compliance with NIST 800-171. Steep fines and loss of contracts (as well as reputation) are potential outcomes of such cases. This session is suitable for institutions at any point in their CMMC compliance journey. We will allow ample time for Q&A and discussion to take full advantage of the expertise in the room.