Anyone claiming a foolproof solution to your Cybersecurity Maturity Model Certification (CMMC) problems attempts to con you. The CMMC is a multifaceted U.S. Department of Defense (DoD) initiative that will take years to implement.
We’ve outlined several crucial factors you must address immediately to maintain eligibility and compliance with current regulatory requirements. You’ll also discover some strategic steps to implement across your organization in preparation for the enhanced cybersecurity practices mandated by the new CMMC 2.0 framework.
The DFARS Interim Rule
The Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule was created because CMMC 2.0’s new requirements will not be implemented entirely for some time. The Interim Rule establishes the DoD Assessment Methodology for evaluating a contractor’s compliance with cybersecurity requirements. According to DFARS Case 2019-D041, as of November 30, 2020, the Interim Rule requires all DoD prime contractors and the estimated 300,000+ DIB supply chain members to conduct a minimal self-assessment of their current cybersecurity posture and document the results in the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/.
All contractors and subcontractors with extant contractual obligations related to the NIST SP 800-171 framework standards must conduct a self-assessment using the standard assessment and scoring methodology to evaluate their organization’s compliance with the NIST requirements. Contractors must then submit the assessment to the federal Supplier Performance Risk System (SPRS) database to qualify for new or renewed defense contracts.
To better grasp the requirements of the DFARS Interim Rule, you must familiarize your organization with the following essential components:
Self-Assessment
This evaluation evaluates the implementation of 110 distinct cybersecurity controls outlined in NIST Special Publication 800-171. Organizations must conduct self-assessments per the new NIST (SP) 800-171 DoD Assessment Methodology.
Scoring Methodology
The scoring methodology begins with a “perfect” score of 110 for each NIST (SP) 800-171 control the organization must implement. Every unimplemented control is penalized with a weighted point deduction. The point value of each deduction ranges from one to five based on the significance of the individual control. Except for multifactor authentication and FIPS-validated encryption, no credit is given for partially implemented controls.
Submission of the Score
To be eligible for new contracts and contract renewals, you must transmit the self-assessment score to a government Supplier Performance Risk System (SPRS) database within 30 days of completing the assessment.
System Security Plan (SSP)
This is a mandated document that contains comprehensive information about the NIST 800-171 controls that have been implemented, including operational procedures, organizational policies, and technical components.
Plan of Action and Milestones (POA&M)
If you still need to implement a control fully, you must provide a POA&M document as an appendix that describes how you intend to resolve the deficiencies and when the implementation will be completed. Once previously deficient controls have been addressed and remedied, you can post updated scores.
The Interim Rule requirements must be met to be eligible for new federal or defense contracts.
Immediate Steps to Take
If you haven’t already, your organization should prepare to undertake a thorough and accurate self-assessment to measure your cybersecurity posture score and ensure that your information assets are adequately secured and protected. This is the initial phase in preparing for the new CMMC framework’s enhanced cybersecurity requirements and certification process. To avoid missing out on new contracts or renewal opportunities, you must prepare and implement the necessary security controls and policies.
Here are some measures you must take immediately to prepare your organization:
Establish a Systems Security Plan (SSP)
Building an SSP will assist you in mapping your network and information assets (hardware and software) and signify the beginning of knowing how many controls (out of the 110) your organization has implemented to date.
Assess how you deal with Controlled Unclassified Information (CUI)
Consider how your business manages CUI — who has access to it, where it resides, how it is disseminated, etc.
Conduct a DoD Self-Assessment
Using a tool, you can conduct a self-assessment and obtain a score per the NIST (SP) 800-171 DoD Assessment Methodology.
Build a POA&M Document
In this document, outline the actions you will take to address the deficiencies that prevented you from achieving a perfect score of 110 (along with an estimated completion date).
Upload the Self-Assessment Score
Remember to transmit the results to the government SPRS database within 30 days of completing the self-assessment.
Document Everything
This measure cannot be negotiated. Ensure you document every essential aspect of your journey, from planning to self-evaluation and correction.
The CMMC regulatory framework for enhanced cybersecurity policies, controls, and standards is vast and intricate, making it challenging to comprehend your obligations and how to get started.
Partnering with a specialist can reduce tension and save time throughout the process. As an IT service provider, we can provide you with the specialized cybersecurity tools and knowledge you need to prepare for and implement the cybersecurity controls necessary to satisfy and validate compliance with the DFARS Interim Rule and the new CMMC 2.0 requirements.
Comments