Right off the bat, we’re here to tell you that anyone promising you a sure-shot solution to all your CMMC woes is trying to pull a fast one on you. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive move by the U.S. Department of Defense (DoD) that involves a lot of moving parts that have not been finalized yet. In fact, with the planned rollout of the new CMMC requirements scheduled to take place over the next five years (through to 2026), you should expect a few changes or bottlenecks along the way.
Despite the long implementation timeline, your business cannot afford to fall prey to misinformation or hope for a mythical magic bullet that will put an end to your CMMC woes. There’s absolutely no reason for you to wait until the last minute to implement the new security controls in hopes that everything will be clearer or totally in order by then. You need to seek accurate information with respect to your current cybersecurity maturity stance and what you should start preparing for. You should be implementing these changes within your business immediately to ensure you will be ready for the imminent changes to your eligibility as a contractor or supplier for the DoD and other federal entities.
We have highlighted some important aspects you must focus on now to remain eligible and in good standing with current regulatory requirements. In addition, we’ve also listed some strategic steps that you should immediately implement throughout your business to be ready for the enhanced cybersecurity practices required under the new CMMC framework.
Since new requirements under CMMC will not be fully rolled out until 2026, the Interim Rule was established by the Defense Federal Acquisition Regulation Supplement (DFARS) to immediately establish a push for the DoD Assessment Methodology component of the CMMC framework to get a measure of contractor implementation of the existing cybersecurity requirements. DFARS Case 2019-D041, effective November 30, 2020, states that the Interim Rule mandates all DoD prime contractors and the estimated 300,000 plus members of the DIB supply chain to perform a basic self-assessment of their current cybersecurity posture and document their results in the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/.
All contractors and subcontractors, having existing contractual obligations with respect to the NIST SP 800-171 framework standards, must complete a self-assessment that measures their organization’s implementation regarding the NIST requirements using the standard assessment and scoring methodology. The assessment score must be uploaded to the federal Supplier Performance Risk System (SPRS) database in addition to other requested or required documentation records.
To help you better understand the DFARS Interim Rule requirements, you must familiarize your organization with these important components:
Eligibility to win all new federal or defense contracts issued after December 1, 2020, will include requirements with respect to the completion of the Interim Rule standards. This essentially means the deadline for conducting a self-assessment and uploading your score and documentation to the SPRS database was yesterday (yes, you read that right) if your organization intends to accept any DoD or federally related contracts moving forwards.
If not already completed, your organization should prepare to conduct a thorough and accurate self-assessment to measure your cybersecurity posture score as soon as possible to ensure you are adequately securing and protecting your information assets. This is the first step in preparing for the more enhanced cybersecurity requirements and certification process rolling out under the new CMMC framework. To ensure you don’t miss out on any new contracts or renewal opportunities, you need to start preparing and implementing the necessary security controls and policies now.
Here are some steps you need to take to prepare your organization right away:
The enhanced cybersecurity policies, controls and standards within the CMMC regulatory framework are vast and complex, making understanding your obligations and how or where to get started a daunting and overwhelming task. Partnering with a specialist can help make the overall process less stressful and time consuming. At our firm, we can provide you with the specialized tools and cybersecurity expertise you need to help you prepare for and implement the cybersecurity controls necessary to satisfy and validate compliance for both the DRARS Interim Rule and new CMMC requirements.
Article curated and used by permission.