Right off the bat, we’re here to tell you that anyone promising you a sure-shot solution to all your CMMC woes is trying to pull a fast one on you. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive move by the U.S. Department of Defense (DoD) that involves many moving parts and will take years to implement fully.

There’s no reason to put off implementing the new security controls until the last minute, hoping that everything will be in order by then. You need to seek accurate information with respect to your current cybersecurity maturity stance and what you should start preparing for now. Implement these changes within your business immediately to ensure you will be ready for the changes to your eligibility as a contractor or supplier for the DoD and other federal entities.

We have highlighted some crucial aspects you must immediately focus on to remain eligible and in good standing with current regulatory requirements. In addition, we’ve also listed some strategic steps that you should immediately implement throughout your business to be ready for the enhanced cybersecurity practices required under the new CMMC 2.0 framework.

The DFARS Interim Rule
Since new requirements under CMMC 2.0 will not be fully rolled out for years, the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule was established. The Interim Rule immediately establishes the DoD Assessment Methodology to get a measure of a contractor’s implementation of the existing cybersecurity requirements. According to DFARS Case 2019-D041, effective November 30, 2020, the Interim Rule requires all DoD prime contractors and the estimated 300,000+ DIB supply chain members to perform a minimal self-assessment of their current cybersecurity posture and document their results in the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/.

All contractors and subcontractors with existing contractual obligations related to the NIST SP 800-171 framework standards must complete a self-assessment using the standard assessment and scoring methodology to assess their organization’s implementation of the NIST requirements. The assessment score must be uploaded to the federal Supplier Performance Risk System (SPRS) database to qualify for new or renewed defense contracts.

To help you better understand the DFARS Interim Rule requirements, you must familiarize your organization with these critical components:

•Self-assessment: It involves evaluating the implementation of 110 different cybersecurity controls defined by the NIST SP 800-171. Organizations must perform self-assessments using the new NIST (SP) 800-171 DoD Assessment Methodology.

•Scoring methodology: It begins with a “perfect” score of 110 for each NIST (SP) 800-171 control, that the organization must implement. Weighted points are deducted for every control that has not been implemented. Each deduction holds a point value ranging from one to five based on the individual control’s importance. No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption.

•Submission of the score: You must upload the self-assessment score to a governmental Supplier Performance Risk System (SPRS) database within 30 days of completing the assessment to qualify for new contracts and contract renewals.

•System Security Plan (SSP): It is a required document that contains thorough details of implemented NIST 800-171 controls such as operational procedures, organizational policies and technical components.

•Plan of Action and Milestones (POA&M): If you have not fully implemented any control, you must provide a POA&M document as an appendix explaining how you plan on addressing the deficiencies and by when you will complete the implementation. You can post updated scores once previously deficient controls have been addressed and remediated.

Eligibility to win all new federal or defense contracts issued after December 1, 2020, includes requirements with respect to the completion of the Interim Rule standards.

Immediate steps to take
If not already completed, your organization should prepare to conduct a thorough and accurate self-assessment to measure your cybersecurity posture score as soon as possible to ensure you are adequately securing and protecting your information assets. This is the first step in preparing for the enhanced cybersecurity requirements and certification process rolling out under the new CMMC framework. To ensure you don’t miss out on any new contracts or renewal opportunities, you need to start preparing and implementing the necessary security controls and policies now.

Here are some steps you need to take to prepare your organization right away:

•Establish a Systems Security Plan (SSP): Building an SSP will help you map your network and information assets (hardware and software) and will mark the beginning of you knowing how many controls (out of the 110) your business has implemented so far.

•Assess how you deal with controlled unclassified information (CUI): Ask yourself questions on how your business manages CUI — who accesses it, where CUI lives, how it is shared, etc.

The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January of 2020 and updated to CMMC 2.0 in November of 2021. The decision sent over 300,000 members of the defense industrial base (DIB), primarily small and midsize businesses (SMBs), into a state of frenzy. Most found themselves drowning in all kinds of unnecessary noise surrounding CMMC and its implications on existing and future government contracts.

The chaos increased when the Interim DFARS Rule (DFARS Case 2019-D041) joined the foray on November 30, 2020. This rule mandates all defense contractors to perform self-assessments of their cybersecurity using the NIST CSF (SP) 800-171 DoD Assessment Methodology to qualify for new defense contracts and renewals of current contracts.

Amid all the deliberation and scrutiny, let’s try understanding the Interim DFARS Rule and its impact on you as a member of the DIB. In this short blog, we will tell you what in the Interim DFARS Rule changed, what it mandates contractors to do and what your next immediate step should be with this latest mandate by the Department of Defense (DoD).

What changed in the Interim DFARS Rule?

This is not the first time the DoD has emphasized the need for defense contractors to follow the 110 cybersecurity controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, generally referred to as “800-171.”

Even prior to the adoption of CMMC, DFARS mandated most defense contractors to merely attest to the fact that they followed all the controls specified in 800-171. However, many non-compliant contractors’ and sporadic government audits led to controlled, unclassified information (CUI) being leaked.

Therefore, in a bid to counter potential security threats, the Interim DFARS Rule requires contractors to complete self-assessments and formally score their 800-171 compliance status based on a specific scoring system developed by the DoD. The post-assessment score must be uploaded to a federal database – the Supplier Performance Risk System (SPRS) — for the contractor to qualify for new contracts and renewals.

The deadline to conduct a self-assessment and upload it to the SPRS database was November 30, 2020 if you intend to accept any DoD-related contracts that include the flow down of contract clause DFARS 252.204-7012 issued after December 1, 2020.

Now that you understand the urgency with which you must approach complying with the Interim DFARS Rule, let’s discuss how the interim rule scoring works.

Self-assessment and the scoring matrix
During the self-assessment, contractors are expected to rate themselves based on the implementation of each of the 110 NIST (SP) 800-171 cybersecurity controls. The CMMC requires DoD contractors to conduct these self-assessments once every three years unless anything necessitates a change. Because contractors are subject to DoD and prime contractor audits at any time, it is critical to maintain the cybersecurity controls and have recent documentation validating that everything has remained secure and compliant.

The assessment scoring begins with a perfect score of 110 for each NIST 800-171 control. Points are then subtracted for the non-implementation of controls. Each control holds a weighted point value ranging from one to five based on its significance.

No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption. Although NIST does not prioritize security requirements, it declares that some controls bear a higher impact on a network’s security.

Here are three things you must remember with respect to the self-assessment:

•If you do not receive a perfect score of 110 points, you must create a Plan of Action and Milestones (POA&M) document outlining how the deficiencies will be addressed and the failing items remediated. You can update your score when the shortcomings are addressed and remediated.

•As a contractor, you must also develop a System Security Plan (SSP) with details of implemented NIST 800-171 controls such as operational procedures, organizational policies and technical components.

•Neither SSPs nor POA&Ms are uploaded to the federal database but must be available for audit.

•Upon concluding the self-assessment, you must submit your score to the governmental SPRS database within 30 days.

Now that we have established all that you must do, there’s no time to waste. Here’s what you immediately need to do.

Get assessment-ready now!

To qualify for new contracts and renewals while CMMC is being rolled out, you must start gearing up to conduct a thorough and accurate self-assessment and do whatever it takes to fulfill today’s cybersecurity requirements. This way, you will comply with the Interim DFARS Rule and be prepared for every future development with respect to CMMC.

Navigating through the complexities of CMMC can be both complex and overwhelming. That’s why having an experienced partner to shoulder the responsibility will ease the pressure on you. We would love to chip in with our best efforts. All it takes is an email allowing us to talk to you about it.