Now is the time to begin navigating your path to CMMC compliance—and completing an assessment is an important start. Focus on the requirements, which have always been DFARS clause 252.204-7012 that requires the implementation of the 110 controls of NIST 800-171. Ignore the noise surrounding CMMC 2.0 and NIST 800-171, rev. 3.
If you implement NIST 800-17, you’ll be in great shape for the future and meet all the requirements of CMMC 2.0 when it formally arrives. Before you get started, familiarize yourself with the DFARS clause and NIST 800-171.
Now you’re ready to start planning your assessment
The assessment methodology approach we follow is grounded in the existing requirements. Besides the procedural benefits of starting with an assessment, it’s also required in your Supplier Performance Risk System (SPRS) submission. Done right an assessment at a minimum provides everything required for you to enter your information into SPRS. Every business wants to know, “How much is CMMC going to cost?” and “How long is it going to take?”. Your assessment will tell you that.
The impact of non-compliance
As a contractor, your company is required by DFARS 252.204-7019 to use the DOD Assessment Methodology to score the implementation of the NIST 800-171 controls. After completion of the assessment, you must then submit this score to SPRS and assert to having performed a “basic” assessment, along with assertions of possessing a system security plan (SSP) and plan of actions and milestones (POAM).
There are significant risks and implications associated with a failure to comply with the security requirements including prevention of bidding on a contract suitable to your company’s competencies, breach of contract, termination of an existing contract for default, and poor past performance ratings.
In addition to potentially standing in the way of contract award, the reason to do the assessment is because it’s going to be your roadmap to full compliance, including establishing a budget and timeline for completion.
Pros and cons of a DIY or outsourced assessment
It’s our belief that eventually companies are going to want a third-party to perform an assessment because it’s a good additional set of control and due diligence to have a third party come in and look at your compliance posture. It gives you an independent third-party view, divorced from bureaucracy, career aspirations, and politics. There are, however, benefits and disadvantages of completing the assessment on your own or relying on a third party to do the work.
Doing in on your own
- Why it makes sense – If you’re going to use your own resources, you already know your people, processes, and technologies and should be able to quickly ramp up. You’ll also have easy access to any required artifacts since chances are you already know who to go to, where things are stored, et cetera. Potentially no additional budget would be required for this approach as it’s just additional time and one more, albeit substantial, task for you and your team to accomplish.
- Why it might not – An internally-led assessment can mean that blind spots tend to remain blind spots. You may not uncover some things that run counter inadvertently or intentionally to bureaucracy, politics and all the things that go into a company culture. Also, the DFARS/NIST learning curve can be steep. What we often find is that companies have great technical talent, but struggle on the knowledge as relates to regulatory issues.
Hiring a third-party
- Why it makes sense – By relying on an outside resource, you get instant DFARS/NIST 800-171 expertise. And if you select the right partner, you also access a team whose dedicated full-time focus is to complete your assessment, including producing a documented set of external validation. Consider this—you may have a set of things you believe, but sometimes it’s helpful to have a third party come in and document that. It provides you a more vetted platform to approach your board and your executive leadership team.
- Why it might not – You can get sold a tool to get you compliant—and such a tool doesn’t exist. Having a third-party conduct your assessment requires budget and maybe that’s something you didn’t think of or plan for. Also, the outside entity will need to get up to speed with your people, processes, and technology.
The sooner you start your assessment, the closer you’ll be to your goal of complying with CMMC. Do your assessment. It’s the foundation of all the good things to come. If you would like assistance, contact the experts at CyberSheath to help you get started.