What is CMMC & What Do You Need to Know?
What does CMMC stand for? CMMC stands for Cybersecurity Maturity Model Certification. The CMMC is a wholistic move by the U.S. Department of Defense (DoD) requiring the involvement of many moving parts.
With cyber-attacks becoming more sophisticated and frequent, the DoD is taking steps to ensure that the highly sensitive information and data they work with are secure. The DoD has been able to beef up security for themselves successfully, now they need to focus on securing companies they interact with.
In other words, the DoD is working to minimize the chance of a data breach happening within their supply chain, that could impact the DoD’s security and data.
This is a very long and complex process, if your organization does not plan on bidding for Department of Defense contracts now or in the future, you do not need to worry about the CMMC!
Due to the magnitude of this project, the rollout of these new CMMC requirements to the DoD’s supply chain is expected to take place over the next five years, through the end of 2026. It is to be expected that there will be some changes and bottlenecks along the way.
A 5-year rollout period does not mean a company has 5 years to prepare. In order to properly prepare, an organization should start immediately.
Your business cannot afford to fall prey to misinformation or hope for a magic bullet that will put an end to your CMMC woes at the last second.
Waiting until the last minute to implement the new security controls will increase your chances of being non-compliant as well as big revenue losses.
Take this drawn-out implementation period as a chance to carefully assess your current cybersecurity maturity and then prepare for the necessary changes as they arise.
These changes will affect your eligibility as a contractor or supplier of the DoD and other federal entities.
With a lot of aspects regarding the CMMC eligibility still up in the air, we have highlighted some important aspects that you can focus on right now to ensure keeping in good standing with current regulatory requirements.
Later in this article, we have listed strategic steps that you can and should start implementing as soon as possible to prepare for the enhanced cybersecurity practices required under this new CMMC framework.
The Defense Federal Acquisition Supplement (DFARS) Interim Rule
The Interim Rule was established by the Defense Federal Acquisition Supplement (DFARS). The Interim Rule has been created to measure contractor implementation of existing cybersecurity requirements.
This will give the DoD a gauge for current security maturity and compliance.
In addition, this rule is intended to help the DoD encourage their supply chain to adopt the CMMC framework while measuring current implementation requirements.
As of November 30, 2020, DFARS Case 2019-D041 states that the Interim Rule mandates all DoD prime contractors and the estimated 300,000+ members of the DIB supply chain to perform a basic self-assessment of their current cybersecurity posture. Once the assessment is completed, to then document their results in the Supplier Performance Risk System (SPRS) at hhtps://www.sprs.csd.disa.mil/.
That being said, any contractor and subcontractor that has an existing contractual obligation in regards to the NIST SP 800-171 framework standards, must complete a self-assessment.
This self-assessment utilizes the standard assessment and scoring methods to measure their organization’s NIST implementation.
Once completed, the assessment score must be uploaded to the federal Supplier Performance Risk System (SPRS) database in addition to any other requested or required documentation
Important Components for DFARS Interim Rule requirements
- Self-assessment: Involves evaluating the implementation of 110 different cybersecurity controls defined by the NIST SP 900-171. While DFARS clause 252.204-7019 requires organizations to perform these self-assessments with the existing DFARS clause 252.202-702, DFARS 252.204-7020 outlines the NIST (SP) 800-171 DoD Assessment Methodology that you must use to conduct the self-assessment.
- Plan of Action and Milestones (POA&M): If you have not fully implemented any control, you must provide a POA&M document as an appendix explaining how you plan on addressing the deficiencies and by when you will complete the implementation. You can post updated scores once previously deficient controls have been addressed and remediated.
- Scoring Methodology: The scoring begins with a “perfect” score of 110 for each NIST (SP) 800-171 control, which the organization must implement. Points are deducted for every control that has not been implemented. Each deduction holds a point value ranging from one to five based on the individual control’s importance. No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption.
- System Security Plan (SSP): It is a document that contains thorough details of implemented NIST 800-171 controls such as operational procedures, organizational policies, and technical components.
- Submission of the Score: You must upload the self-assessment score to the governmental Supplier Performance Risk System (SPRS) database within 30 days of completing the assessment.
After December 1, 2020, eligibility to win all new federal or defense contracts issued will include requirements with respect to the completion of the Interim Rule standards.
Unfortunately, this means the deadline for conducting a self-assessment and uploading your score to the SPRS database has already passed if your organization intends to accept any DoD or federally related contracts moving forward.
CMMC Steps to Take Immediately
Your organization should conduct an honest and detailed self-assessment to measure your cybersecurity posture score right away. This helps to ensure you are securing and protecting your information assets properly.
This will help prepare your organization for more strict cybersecurity requirements and certification processes that will be implemented under the new CMMC framework. To ensure you don’t miss out on any new contracts or renewal opportunities, you need to start preparing and implementing the necessary security controls and policies now.
Here are some steps you need to take to prepare your organization right away:
- Establish a Systems Security Plan (SSP): Building an SSP will help you map your network and information assets (hardware and software) and will mark the beginning of you knowing how many controls (out of the 110) your business has implemented so far.
- Assess how you deal with controlled unclassified information (CUI): Ask yourself questions on how your business manages CUI – who accesses it, where CUI lives, how it is shared, etc.
- Conduct a DoD self-assessment: You can utilize a tool to conduct a self-assessment and obtain a score as per the NIST (SP) 800-171 DoD Assessment Methodology.
- Build a POA&M Document: In this document, list all the steps you will take to mitigate the deficiencies that prevented you from getting a perfect score of 110 (along with estimated completion time).
- Upload the self-assessment: Do not forget to upload the results to the governmental SPRS database within 30 days of conducting the self-assessment, along with SSP and POA&M
- Document everything: this step is non-negotiable. Ensure you document every important aspect of your journey – from preparation to self-assessment, to remediation.
The enhanced cybersecurity policies, control, and standards within the CMMC regulatory framework are vast and complex. This makes understanding your obligations and how or where to get started a daunting and overwhelming task. Partnering with a specialist can help make the overall process less stressful and time-consuming.
At Data-Tech, a leading Tampa IT Managed Service Provider and Registered Provider Organization, we can provide you with the specialized tools and cybersecurity expertise you need to help you prepare for and implement the cybersecurity controls necessary to satisfy and validate compliance for both the DFARS Interim Rule and the new CMMC requirements.