If someone claims to have an easy solution for all your CMMC-related problems, they are most likely trying to deceive you. The CMMC is a complex initiative by the US Department of Defense with multiple components, and it will take a long time to implement completely. However, there are some essential areas that you should prioritize to ensure compliance with current regulations. Additionally, there are strategic measures you can take across your organization to prepare for the more stringent cybersecurity standards outlined in the CMMC 2.0 framework.
The DFARS Interim Rule
To address the delayed implementation of new requirements under CMMC 2.0, the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule was established.
This rule immediately implements the DoD Assessment Methodology to evaluate a contractor's compliance with existing cybersecurity requirements.
As per DFARS Case 2019-D041, effective November 30, 2020, all DoD prime contractors and over 300,000 DIB supply chain members must conduct a basic self-assessment of their current cybersecurity posture and record their findings in the Supplier Performance Risk System (SPRS) located at https://www.sprs.csd.disa.mil/.
To help you better understand the DFARS Interim Rule requirements, you must familiarize your organization with these critical components:
- Self-assessment: The self-assessment requires organizations to review their implementation of 110 cybersecurity controls outlined in the NIST SP 800-171, using the updated NIST (SP) 800-171 DoD Assessment Methodology.
- Scoring methodology: The scoring process starts with a score of 110 for each NIST (SP) 800-171 control that the organization should implement. Weighted points are subtracted for every control not implemented. The value of each deduction ranges from one to five, depending on the control's significance. Partially implemented controls do not receive any credit, except for multifactor authentication and FIPS-validated encryption.
- Submission of the score: To be eligible for new contracts or contract renewals, you need to submit your self-assessment score to the Supplier Performance Risk System (SPRS) database within 30 days of completing the assessment.
- System Security Plan (SSP): The System Security Plan (SSP) is a mandatory document that includes comprehensive information on implemented NIST 800-171 controls, including operational procedures, organizational policies, and technical components.
- Plan of Action and Milestones (POA&M): If you have not fully implemented a control, you must include a Plan of Action and Milestones (POA&M) document as an attachment, outlining how you intend to resolve the deficiencies and when you expect to complete the implementation. You can update your score once you have addressed and remedied any previously deficient controls.
To be considered for new federal or defense contracts, contractors must meet the standards outlined in the Interim Rule.
Immediate Steps to Take
It is recommended that your organization conducts a comprehensive and precise self-assessment to determine your cybersecurity posture score and ensure the adequate protection of your information assets. This is the initial step in preparing for the new CMMC framework's enhanced cybersecurity requirements and certification process. To avoid missing out on new contracts or renewal opportunities, it is essential to begin preparing and implementing the necessary security controls and policies immediately.
- Establish a Systems Security Plan (SSP): Creating an SSP can assist you in charting your network and information assets (including hardware and software) and serve as the starting point for determining the number of controls (out of a total of 110) that your business has currently implemented.
- Assess how you deal with controlled unclassified information (CUI): Pose inquiries to yourself regarding how your business handles CUI, such as who has access to it, where it is stored, how it is shared, and so on.
- Conduct a DoD self-assessment: You can use a tool to perform a self-assessment and receive a score based on the NIST (SP) 800-171 DoD Assessment Methodology.
- Build a POA&M document: In this document, detail all the measures you plan to implement to address the shortcomings that prevented you from achieving a perfect score of 110, including the projected timeline for completion.
- Upload the self-assessment score: Remember to submit the outcomes of the self-assessment to the government SPRS database within 30 days of its completion.
- Document everything: This step is mandatory. Make certain to record every critical element of your progress, including preparation, self-assessment, and remediation.
The CMMC regulatory framework contains comprehensive and intricate cybersecurity policies, controls, and standards, which can make it challenging and intimidating to comprehend your responsibilities and determine where to begin.
Teaming up with an expert can alleviate the stress and save time throughout the entire process. As an IT service provider, we possess the specialized tools and cybersecurity knowledge required to assist you in preparing for and executing the necessary cybersecurity controls to fulfill and authenticate compliance with the DFARS Interim Rule and new CMMC 2.0 requirements.