What MSPs Need to Know About CMMC Interim Rule Scoring

Back to Blog

What MSPs Need to Know About CMMC Interim Rule Scoring

In a previous blog, we dove into the details of the new Cybersecurity Maturity Model Certification’s (CMMC) Interim Rule. The Department of Defense (DoD) established this rule to protect Controlled Unclassified Information (CUI) in the department’s supply chain during CMMC’s five-year rollout phase.

The rule dictates all contractors and subcontractors to perform a cybersecurity self-assessment, score the assessment according to a specific methodology, and create documents that they must submit to the DoD.

The required scoring methodology, defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-171, is intended to create an objective assessment of a contractor’s implementation status. The CMMC calls for DoD contractors to conduct assessments once every three years, unless changes arise that necessitate a different frequency.

The assessment scoring begins with a perfect score of 110 for each of the NIST (SP) 800-171 controls with which an organization must comply. Points are subtracted for every control that’s not implemented, but each control holds a point value ranging from one to five, based on a control’s significance. No credit is given for partially implemented controls, except for multi-factor authentication and FIPS-validated encryption. Though NIST does not prioritize security requirements, it does declare that certain securities bear greater impact on a network.

If a contractor receives less than 110 points, they must generate a Plan of Action and Milestones (POA&M) document that details how they will address their deficiencies and when the implementation will be complete. Organizations may also post updated scores as deficient controls are remediated.

Once a contractor concludes the self-assessment, the results must be submitted to the governmental Supplier Performance Risk System (SPRS) database within 30 days.

With Compliance Manager, the MSP can use the role-based platform to work with the client stakeholders and, if needed, engage with third-party subject matter experts to complete the assessment. Through a combination of network and computer data gathered by the software, and supplemental information provided by the MSP and/or client, the system will automatically generate the 800-171 scoresheet based on the DoD’s proprietary scoring rubric. It will also produce completed System Security Plan (SSP) and POA&M documents.

Ask for a demo of Compliance Manager to see how it works.