The CMMC Interim Rule and NIST (SP) 800-171 Implementation
Why an “Interim Rule” for CMMC
Since 2018, most defense contracts have been subject to DFARS clause 252.204–7012: Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause requires contractors to apply the 110 security requirements detailed in the National Institute of Standards and Technology’s (NIST) Special Publication 800–171, commonly known as NIST (SP) 800-171 or simply 800-171.
Relying on the contractors to simply attest to the fact that they were in compliance with 800-171 was not a realistic or secure expectation. Relying on the contractors to take the steps to implement all 110 controls was not working, and the DoD supply chain continued to fall victim to cyber attacks. In response a more stringent cybersecurity program became paramount and in January 2020, CMMC was announced. However, it will be years before CMMC requirements work their way into all DoD contracts, and until it does, an Interim rule was established to bolster the reporting requirements around 800-171 compliance.
The Three Requirements of the Interim Rule
Three critical components of the Interim Rule impact every government contractor and create the tremendous opportunity for MSPs and MSSPs:
1. Scored Self-Assessments
It’s no longer enough to simply declare that you have implemented 800-171. Government contractors must now review their implementation of each of the 110 cybersecurity controls included in 800-171 and score themselves based on a detailed methodology defined by DoD.
2. System Security Plans (SSP)
The Self-Assessment score must also include the completion of a System Security Plan (SSP), which identifies the functions and features of a system, including all its hardware and software. The SSP defines the security measures that have been put in place to limit access to authorized users and provides details of processes for auditing and maintaining the system. The plan also helps establish an incident response plan in the event of a breach.
In short, the SSP is a comprehensive summary of all security policies and procedures that will help keep DoD data secure if the DoD awards a contract.
3. Plan of Action and Milestones (POA&M)
For any of the 110 controls identified in 800-171 that are not fully implemented, the contractor must submit a Plan of Action and Milestones (POA&M) along with their self-assessment score and SSP. The POA&M identifies each task that needs to be completed in order to implement a missing control, including resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Key Points MSPs and MSSPs Should Keep in Mind
A profusion of companies within the DoD supply chain, along with many rapid changes, creates confusion in the marketplace. Now is your opportunity to come in as a trusted technology advisor.
Here are a few key points to pass along and be aware of when you talk to clients or prospects about helping them with the Interim Rule requirements.
The new directive is now in effect and will remain in force for most DoD contracts unless or until a specific CMMC Level is referenced in the contract.
The requirement is not just for prime contractors. Primes must flow this requirement down to their subcontractors and suppliers.
Contractors are required to complete an 800-171 Self-Assessment based on the DoD scoring methodology, as well as their System Security Plan (SSP) and POA&M. Their assessment score must be posted in the SPRS before a contract will be awarded.
Contractors with scores less than 110 must continually work to achieve the perfect score and follow the approach and the timeline that they submit in their POA&M.
The Defense Contract Management Agency (DCMA), which provides contract administration services for the DoD, will conduct random audits to ensure companies completed the self-assessment, scored themselves accurately, established an SSP, and are working towards completing a realistic POA&M.
The Compliance Automation Solution Purpose-Built for CMMC and 800-171
MSPs and MSSPs don’t need to be government procurement experts in order to help with the Interim Rule and future CMMC requirements.
Compliance Manager for CMMC includes a comprehensive workflow automation engine that:
Walks you through the 800-171 assessment process for each of the 110 cybersecurity controls
Automatically scores the assessment based on the DoD’s proprietary scoring rubric
Generates a Risk Management Plan with guidance on how to remediate issues that impact the score
Automatically generates the System Security Plan (SSP) directly out of your assessment
Automatically produces the Plan of Action and Milestones (POA&M) directly out of your assessment
Everything you need to help your clients meet the requirements of the DFARS Interim Rule is included!
No Time To Lose! Let’s Get Started!
The Interim Rule is now in force, and most of the 300,000 DoD contractors are small and medium sized businesses that will need your help in implementing this rule. And, the best news is that while you walk your clients through the 800-171 implementation assessment with the CMMC module, you will also be getting them ready for the CMMC third-party assessment.