Get Ready for CMMC Requirements Now
Anyone claiming to have a quick fix for all your Cybersecurity Maturity Model Certification (CMMC) challenges is likely misleading you. The CMMC, introduced by the U.S. Department of Defense (DoD), is a comprehensive initiative with many moving parts that will take years to fully implement.
Here, we highlight crucial aspects you should focus on immediately to stay compliant with current regulatory requirements. We also outline strategic steps to prepare your business for the enhanced cybersecurity practices required under the new CMMC 2.0 framework.
The DFARS Interim Rule
The Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule was established to bridge the gap until CMMC 2.0 is fully rolled out. Effective November 30, 2020, the Interim Rule mandates that all DoD prime contractors and the estimated 300,000+ DIB supply chain members perform a self-assessment of their current cybersecurity posture and document their results in the Supplier Performance Risk System (SPRS).
Contractors and subcontractors with existing contractual obligations related to the NIST SP 800-171 framework must complete a self-assessment using the standard assessment and scoring methodology. They must then upload the assessment to the SPRS database to qualify for new or renewed defense contracts.
Key Components of the DFARS Interim Rule
To better understand the DFARS Interim Rule requirements, familiarize your organization with these critical components:
- Self-Assessment: Evaluate the implementation of 110 different cybersecurity controls defined by the NIST SP 800-171 using the new NIST (SP) 800-171 DoD Assessment Methodology.
- Scoring Methodology: Start with a perfect score of 110 for each NIST (SP) 800-171 control. Deduct weighted points for each control not implemented, with point values ranging from one to five based on importance. No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption.
- Score Submission: Upload the self-assessment score to the SPRS database within 30 days of completing the assessment to qualify for new contracts and renewals.
- System Security Plan (SSP): Document the details of implemented NIST 800-171 controls, including operational procedures, organizational policies, and technical components.
- Plan of Action and Milestones (POA&M): If any controls are not fully implemented, provide a POA&M document outlining how you plan to address deficiencies and the timeline for completion. Update your score once deficiencies are resolved.
Immediate Steps to Take
To ensure compliance and readiness for the enhanced cybersecurity requirements under the new CMMC framework, take the following steps:
- Establish a Systems Security Plan (SSP): Map your network and information assets (hardware and software) to understand how many of the 110 controls your business has implemented.
- Assess CUI Management: Evaluate how your business manages controlled unclassified information (CUI), including access, storage, and sharing practices.
- Conduct a DoD Self-Assessment: Use a tool to conduct a self-assessment and obtain a score according to the NIST (SP) 800-171 DoD Assessment Methodology.
- Build a POA&M Document: List the steps to mitigate deficiencies that prevented a perfect score of 110, along with estimated completion times.
- Upload the Self-Assessment Score: Submit the results to the SPRS database within 30 days of conducting the self-assessment.
- Document Everything: Ensure thorough documentation of every aspect of your journey, from preparation to self-assessment and remediation.
Partner with a Specialist
The enhanced cybersecurity policies, controls, and standards within the CMMC regulatory framework are complex. Understanding your obligations and where to start can be daunting. Partnering with a specialist can make the process less stressful and time-consuming.
As an IT service provider, we offer the specialized tools and cybersecurity expertise needed to help you prepare for and implement the necessary controls to comply with the DFARS Interim Rule and new CMMC 2.0 requirements. Contact us today to get started.