Contractors that do business with the US Department of Defense have a new cybersecurity standard to achieve.
The US Department of Defense recently clarified its rules with the passage of the interim Defense Federal Acquisition Regulation Supplement (DFARS) rule.
The interim rule - effective December 1st, 2020 - improves the verification of cybersecurity compliance in the short term. This allows for time to fully implement the Cybersecurity Maturity Model Certification (CMMC).
The new rule has immediate implications for any company doing business with the DoD.
What Is CMMC?
The CMMC framework provides a structure to assess and improve the cybersecurity of DoD contractors. A DoD audit found a widespread failure by contractors to meet its cybersecurity requirements.
Before, contractors claimed compliance with security controls while defining compliance for themselves. Cybercrime results in close to $600 billion in losses every year. This led the government to implement a new program requiring a third-party review to prove compliance.
As a quick CMMC overview, the framework maps best practices and processes to five levels. Level one would be the simplest and most basic cyber hygiene requirements. Level 5 lays out more advanced and progressive requirements.
Beginning October 1, 2025, all contracts over a certain threshold will be required to achieve CMMC certification. The exception is for those contracts solely for COTS items.
How the Interim Rule Affects NIST 800-171
In the past NIST 800-171 compliance had been a self-attestation and there was little to no verification of actual compliance by the government. The interim rule allows for solicitations to require current (within the last 3 years) NIST 800-171 assessment.
In addition, upon contract award the supplier may be required to submit a score - based on the number of outstanding issues in the POA&M - into the DoD's Supplier Performance Risk System (SPRS).
Assuming the information system in question is considered "moderate" risk, the score would be out of 110 (for the 110 security controls) and issues identified in the POA&M would be reduced from that number.
Should a POA&M contain issues, you may have to provide the government with your timeline for remediating the issues listed. Lastly, the Defense Contract Management Agency (DCMA) may audit organizational systems at the "medium" and "high" level, similar to DCAA compliance audits.
How the Interim Rule Impacts CMMC
In addition to the NIST 800-171 requirements, the interim rule allows for DoD to begin requiring CMMC compliance in solicitations. Depending on the solicitation, the level will vary from Level 1 to 5.
CMMC accreditation, as it stands, will require an audit performed by an independent third-party assessor. While the CMMC Accreditation Body has been assumed to be the provider for these audits, the interim rule does not specify this them by name.
Instead, the rule specifies, "Upon completion of a CMMC assessment, a company is awarded a certification by an independent CMMC Accreditation Body (AB) at the appropriate CMMC level". In other words, there is the possibility that another accreditation body could appear in the future.
It is currently estimated DoD will begin slowly with the rollout, starting with 15 specifically chosen solicitations. However, things will ramp up from there, with eventual CMMC requirements in all DoD solicitations in 2025.
What Your Company Should Do Now
If you plan to do business with the DoD, there are several steps you should take now before the interim rule goes into effect.
The most important is comply with NIST 800-171 if you have not done so already, or re-assess your organization if it has not bee done within the last three years. In addition, it would be a good idea to begin closing out items on your POA&M if they have been languishing for a while.
You will also want to get ready for the CMMC accreditation process to ensure timely certification once the assessors are in place. While there is significant overlap between CMMC and NIST 800-171, there are additional controls required in CMMC depending on the level. For example, Level 3 has thirty controls in addition to the 110 for NIST 800-171 moderate.
In addition to the new security controls, with CMMC your organization will need to demonstrate maturity and application of processes outlined in your policies and procedures.
For example, if you have an incident response plan, is your organization effectively carrying it out, are you doing it in the right way, are you documenting the results/actions, etc.
Will You Be Ready for Compliance?
The DoD awards more than 480,000 contracts each year to almost 40,000 businesses now affected by the NIST and CMMC updates. We can provide you with a gap analysis and compliance plan to meet the new requirements.
If you need help getting ready for the rule changes, contact us today. Our IT security experts can work with you to ensure your information systems are usable, reliable, safe, compliant, and secure.