Since the creation of the CMMC (Cybersecurity Maturity Model Certification) Accreditation Body and the announcement of the CMMC standard, those of us working with the Department of Defense have been anxiously awaiting further updates, instruction, and action. Well, the time is here.
With the recent release of the DFARS Interim Rule under DFARS Case 2019-D041, effective November 30th, 2020, three new regulations define upcoming contractor obligations to protect Department of Defense (DoD) Controlled Unclassified Information (CUI):
• DFARS 252.204-7019, Notice of NIST SP800-171 DoD Assessment Requirements
• DFARS 252.204-7020, NIST SP800-171 Assessment Requirements
• DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements
In addition to the DFARS 252.204-7021 clause, which formally begins DoD’s adoption of the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7019 and DFARS 252.204-7020 require that all contractors have and maintain a current assessment score (less than three years old, using the DCMA assessment methodology) in the DoD Supplier Performance Risk System (SPRS) and that prior to awarding contracts/subcontracts involving CUI, the contracting organization must confirm that a current assessment score is in SPRS.
Translation: To be awarded a DoD contract (or keep one) that involves CUI, you must take these steps NOW:
1. Ensure that you have a current DoD Assessment score in SPRS (for all CAGE codes covered by your System Security Plan (SSP)).
If your organization’s NIST 800-171 implementation was already assessed by the DCMA (DIBCAC medium or high assessment) and received your score, you should have satisfied this requirement.
Consider requesting DCMA to perform a DIBCAC Medium or High confidence assessment. The external assessment will not only document your score in SPRS, but it will also help your organization prepare for CMMC (third-party) assessment.
At a minimum, determine your score through the basic assessment (self-assessment), and submit it to DoD SPRS following the regulatory guidelines. (See Annex B within NIST SP 800-171 DoD Assessment Methodology, V1.2.1)
2. Address the Additional CMMC Practices and Processes
To achieve CMMC Level 3 certification by a CMMC Third-Party Assessor Organization (C3PAO), organizations need to demonstrate implementation of all 130 Level 3 practices (NIST 800-171’s 110+20), as well as the three processes associated with Maturity Level (ML) 3 (inclusive of ML2). Plans of Action and Milestones (POAMs) will not satisfy the certification requirement.
When the time comes, you need to show that you have already implemented these additional security measures and have a history of their effectiveness.
Where to look for help getting and staying compliant with DFARS and CMMC
If you know your business has a lot of work to do to meet these new requirements but aren’t sure how you will be able to do so, we can help.
OnCall Computer Solutions is one of the few technology partners providing full white-glove service in assessing and fortifying contractor’s security infrastructure to get them and keep them in compliance with DFARS and now CMMC. If this is something your business is looking for, you can book a consultation call with us today.