It can be confusing to determine how to move forward amid perceived uncertainty regarding CMMC 2.0. Keep in mind that, foundationally, the change from CMMC 1.0 to 2.0 is simply a realignment with NIST 800-171, as well as some changes in how maturity requirements are documented.
Although the exact timing of CMMC 2.0 is uncertain, it makes sense to begin the process to become compliant today. Compliance will be a mandate soon–and the time to get ahead of it is now. With CMMC 2.0, noncompliance will be a deal breaker, so ignore the noise and implement NIST 800-171.
Background on NIST 800-171
The DOD has explicitly stated that the requirements of CMMC 2.0 will mirror NIST 800-171, a mandate that was released in December 2016. If you have leaned into the requirement back in 2017 and implemented NIST 800-171, you’d be done by now as the requirements haven’t substantively changed. Focusing on this set of requirements will be time and resources well spent, regardless of the actual deadline.
Adding to the decision to implement the controls outlined in this NIST standard is the fact that DFARS 252.204-7012 mandates the implementation of NIST 800-171. This DFARS clause, issued in August 2015, safeguards covered defense information and cyber incident reporting.
The DFARS clause is common throughout the defense industrial base, appearing in well over one million contracts for organizations including research and development firms and manufacturers, as well as third party service organizations that support a prime contractor, such as HVAC companies and more. If you have this clause in your contract, the government thinks you have CUI, and you need to take your cybersecurity seriously.
First chart your course
Getting started on implementing the 110 controls mandated in NIST 800-171 can seem like an insurmountable challenge. You need a map or playbook to make the process manageable and help you cost efficiently prioritize and ultimately achieve compliance.
No matter where you are in the process, this rubric can help guide your journey.
|Assess||Assess your existing infrastructure and provide a detailed report of what is needed.||STEP 1 – Assess for compliance with NIST 800-171
STEP 2 – Generate a System Security Plan (SSP)
|Implement||Implement all elements — write all policies, plans and time frames, install all technical controls — required for compliance.||STEP 3 – Document Plans of Action & Milestones (POA&Ms)
STEP 4 – Implement the Security Requirements
|Manage||Continuously collect, review and preserve evidence of your ongoing compliance. Remediate compliance gaps as you find them.||STEP 5 – Maintain Compliance|
Then enter your SPRS score
After you have completed your assessment as outlined in Step 1 above, you need to score it and then log that information with the DOD via the Supplier Performance Risk System (SPRS).
SPRS “…is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DOD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DODI 5000.79).
This scoring system ranges from a positive 110, if you’re fully compliant, to negative 203, if your organization has done nothing in terms of cybersecurity controls implementation. By law, contracting officers access SPRS and verify that each contractor has an assessment on record. If you are a prime contractor, you are required to ensure that your subs have done their SPRS submission.
Failure to complete and score your assessment and enter the information into SPRS can stand in the way of your future revenue as you could lose valuable contracts for failing to have your information logged on SPRS.
SPRS is a government website–and entering your score is rather like submitting your taxes. As part of your submittal you attest to the date that you have completed your assessment, as well as your score.
An important thing to keep in mind is that by entering your score, your company is committing to full compliance. In fact, there’s a field for your plan of action completion date. Perhaps your score is negative 125, which is not uncommon. The government wants to know and wants you to attest to a date when your plan of action and milestones is going to be complete.
As you work to determine your next steps, we are here to help. CyberSheath is an industry leader in the managed security service provider (MSSP) space with a long track record of success for our customers. We assess your current state, then tailor and deliver the solution for full compliance with single-source ease, efficiency, and accountability. Contact us to get started.