As one of our industry’s leading CMMC consultants, Abel Solutions keeps our clients and readership updated on the most recent developments with the Cybersecurity Maturity Model Certification.
Anyone promising you a simple solution to all your CMMC issues is trying to pull a fast one. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive effort by the U.S. Department of Defense (DoD) that will take many years to fully implement, and thus involves numerous moving parts.
But just because the CMMC won’t be fully realized in the near future doesn’t mean your organization isn’t responsible for implementing the CMMC’s mandated security controls now. If you plan on maintaining your eligibility as a DoD contractor and supplier, you need an accurate assessment of your current cybersecurity maturity and what you need to improve ASAP.
In the following post, we’ve outlined some vital steps you should immediately take to remain eligible and compliant with current regulatory requirements. We’ve also provided some strategic efforts that you should immediately undertake throughout your organization to be ready for the enhanced cybersecurity practices required under CMMC 2.0.
The CMMC Interim DFARS Rule
- Because new requirements under CMMC 2.0 will not be fully codified for years, the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule was established
- The Interim Rule establishes DoD Assessment Methodology to determine contractor compliance with existing cybersecurity requirements
- Per DFARS Case 2019-D041, the Interim Rule mandates all DoD prime contractors and DIB supply chain members to perform a self-assessment of their current cybersecurity integrity and to upload their results in the Supplier Performance Risk System (SPRS)
- All contractors and subcontractors with existing contracts related to NIST SP 800-171 must complete a self-assessment using the standardized scoring methodology in accordance with 800-171 controls
- The assessment score must be uploaded to the federal Supplier Performance Risk System (SPRS) database to qualify for new or renewed defense contracts
To help you better understand the DFARS Interim Rule requirements, you must familiarize your organization with these critical components:
Self-Assessment
Your self-assessment requires evaluating the implementation of 110 different cybersecurity controls defined by the NIST SP 800-171. Self-assessments must be performed using the new NIST (SP) 800-171 DoD Assessment Methodology.
Submission of Self-Assessment Score
In order to qualify for new contracts and contract renewals, you’re required to upload the self-assessment score to a governmental Supplier Performance Risk System (SPRS) database within 30 day of the assessment.
Plan of Action and Milestones (POA&M)
If you do not receive a perfect self-assessment score, you must provide a POA&M document explaining how and when you plan remedy deficiencies. You can post updated scores once previously deficient controls have been addressed and remediated.
Self-Assessment Scoring Methodology
Each self-assessment begins with a perfect score of 110, accounting for each NIST (SP) 800-171 control. Weighted points are to be deducted for every control that has not been fully implemented. Each deduction holds a point value ranging from 1 to 5 based on that individual control’s importance. No credit is to be given for partially implemented controls, except for multi-factor authentication and FIPS-validated encryption.
System Security Plan (SSP)
You’re required to thoroughly document how you’ve implemented all NIST 800-171 controls such as operational procedures, organizational policies and technical components.
Immediate Steps To Take for CMMC 2.0
If you haven’t already, your organization should get ready to conduct a thorough and accurate self-assessment to determine your cybersecurity score as soon as possible. This is the first vital step in preparing for the enhanced cybersecurity requirements and certification process that will be codified under the new CMMC framework. If your organization doesn’t want to miss out on new contracts or renewal opportunities, you need to start implementing the necessary cybersecurity controls and policies now. Here’s a hit list:
Establish a Systems Security Plan (SSP)
Building an SSP will help map your network and information assets (hardware and software) and will determine how many controls (out of the 110) your business has implemented so far.
Assess Current Controlled Unclassified Information Protocols
How does your organization manage Controlled Unclassified Information (CUI)—who accesses it, where does it live, how is it shared, etc.?
Conduct a DoD Self-Assessment
Take advantage of the CMCC tool to conduct a self-assessment and obtain a score as per the NIST (SP) 800-171 DoD Assessment Methodology.
Build a POA&M document
List all the steps you will take to mitigate any cybersecurity deficiencies that prevented you from getting a perfect score of 110 (along with estimated completion time).
Upload the self-assessment score
Upload the results to the governmental SPRS database within 30 days of conducting the self-assessment.
Document Everything
This is non-negotiable. Be sure to document every crucial aspect of your journey—from preparation to self-assessment to remediation and reporting.
Are you CMMC 2.0 ready?
The cybersecurity policies, controls and standards within the CMMC framework are vast and complex. Understanding your obligations and where to begin can certainly be a daunting task.
Partnering with a CMMC consultant helps make the entire process less stressful and much more efficient. As CMMC consultants, we can provide you with the specialized tools and cybersecurity expertise you need to help you prepare for and implement the cybersecurity controls necessary to satisfy and validate compliance to the DFARS Interim Rule and new CMMC 2.0 requirements.
Talk To A CMMC Consultant
Schedule a free consultation with one of our CMMC experts today.