16 Dec CMMC Interim Rule Relies on NIST (SP) 800-171
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a new five-level cybersecurity framework that contractors must attain if they want to do business with the Department of Defense (DoD). To comply, defense contractors must engage with an independent, certified third-party assessor to verify that all required cybersecurity controls are in place and have been consistently implemented over time.
There are five levels of CMMC, with each level adding additional controls. The DoD determines which CMMC level is required for each individual contract. To qualify for a contract bid, the DoD requires businesses to achieve CMMC certification for one of the five levels. Failure to comply with CMMC going forward will result in the loss of government contracts, potential violations of the federal False Claims Act and rejection from future contracts.
CMMC was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020. However, CMMC is expected to take five years to be fully implemented because CMMC training materials and training programs must be developed, assessors trained and certified, assessor companies certified, and then an estimated 200,000+ defense contractors certified.
DFARS Interim Rule
While CMMC is being rolled out, self-assessed directives are in place for defense contractors based on the 110 cybersecurity controls in the National Institute of Standards and Technology (NIST) Special Publication 800-171, generally referred to as “800-171.” Prior to the adoption of CMMC, DFARS required most defense contractors to simply attest to the fact that they followed all of the controls specified in 800-171. But many contractors were not fully compliant, and government audits were few and far between. As a result, too many breaches of Controlled Unclassified Information (CUI) leaked out of government contracts.
The DFARS Interim Rule now requires all contractors to perform complete self-assessments and formally score their 800-171 compliance status. The specific scoring system developed by the DoD must be followed, and the post-assessment score must be uploaded to a federal database – the Supplier Performance Risk System (SPRS). Contractors must also create a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) to cure any deficiencies prior to qualifying for future contracts.
MSP Opportunity Working With Defense Contractors
It’s estimated that 99 percent of the 300,000+ defense contractors are small businesses. Many of these companies do not have internal IT departments and are therefore likely to engage with an MSP to help with the new Interim Rule requirements. You can help defense contractors not only perform an 800-171 self-assessment but also identify and remediate any gaps. This can help them maximize the score that gets sent to the DoD and improve the likelihood that they will qualify for more contracts. You can also help your client quickly and easily generate the mandatory SSP and POA&M required by the Interim Rule.
How To Get It Done
MSPs and MSSPs don’t need to be government procurement experts in order to help with 800-171 self-assessments and future CMMC requirements. RapidFire Tools has released a new CMMC module for its popular Compliance Manager platform specifically to guide MSPs through the assessment process.
With Compliance Manager, the MSP can use the role-based platform to work with the client stakeholders and, if needed, engage with third-party subject matter experts to complete the assessment. Through a combination of network and computer data gathered by the software, and supplemental information provided by the MSP and/or client, the system will automatically generate the 800-171 scoresheet (based on the DoD’s proprietary scoring rubric) and also produce completed SSP and POA&M documents.
In addition, since CMMC Levels 1-3 are all based on specific 800-171 controls, when the client is ready to go for a specific CMMC certificate, they can re-use much of the responses and data collection produced for the 800-171 assessment, thus dramatically streamlining the CMMC certification process.
The CMMC module also collects and stores evidence of compliance for each control specified by 800-171. Once the client has achieved compliance with the desired standard, whether 800-171 or CMMC, the MSP should regularly review and rerun the assessment so that the evidence of compliance will be up to date. Even though the Interim Rule’s 800-171 self-assessment scores – and the CMMC Certificate, when earned – will each be good for three years, defense contractors may face surprise audits from prime contractors and the DoD. If that occurs, the client will need to demonstrate that they are not only currently compliant but also prove that they maintained compliance over time.
Ask for a demo of Compliance Manager to see how it works.