The CMMC interim rule, detailed in DFARS 252.201-7019 and 252.201-7020, has many contractors in Dayton on edge about remaining in compliance, which is what allows them to be awarded future contracts.
Most Department of Defense (DoD) contractors are starting to implement the new cybersecurity process known as the Cybersecurity Maturity Model Certification (CMMC). With the government having a slow roll out plan for this new framework, which aims to have all contractors handling Controlled Unclassified Information (CUI) certified by the year 2025, many of the small to medium size companies and sole proprietors were hoping they could move forward without any impact for the next couple years. Although it is true CMMC will only be affecting roughly 15 contracts in year 2021, the Department of Defense has implemented something known as the ‘Interim Rule’ that went into effect on November 30, 2020.
What is the Interim Rule?
On September 29, 2020, DoD issued this rule, implementing it into the CMMC program, requiring companies to complete a self-assessment in order to be awarded new contracts. Under the Defense Federal Acquisition Regulation Supplement (DFARS) provision 252.201-7019, contractors must have a current risk assessment (meaning no older than 3 years) of the organization’s cybersecurity effectiveness.
Why is this starting now?
It’s not much of a secret that theft of intellectual property and sensitive information not only damages the U.S. economy, but it is also a major threat to national security. The Council of Economic Advisors estimated that malicious cyber-attacks cost the U.S. economy anywhere from $570 billion to $1.09 trillion dollars. With that being said, the Department of Defense decided they had to find a way to prevent further loss of our country’s intellectual information, which led us to CMMC. Instead of requiring all defense contracting companies to comply with CMMC in year 1, they decided to do a slow, methodical roll out. Since many companies will not have to certify through CMMC until year 2025, they still needed a way to limit potential attacks, hence the interim rule went into effect.
How do you comply with the interim rule?
There are three basic steps needed to be in compliance with the interim rule:
1) Complete a self-assessment. DFARS clause 252.201-7020 designates NIST SP 800-171 methodology as the required framework when completing the self-assessment. This framework walks through 110 different cybersecurity controls, and the expectations needed for compliance. While working through these controls, you will also be creating an overall cybersecurity score. The score tops out at 110, and for every control that is not in compliance, points are deducted. Some of the controls are weighted, meaning they can be worth up to 5 points instead of just 1 point (so a negative score is possible).
2) System Security Plan. The System Security Plan (SSP) is a remediation plan that outlines the findings from the self-assessment. This plan details which controls are implemented, and which are planned to be implemented. It also will provide details on the implementation plans, as well as details on any controls considered ‘Not Applicable’.
3) Upload information into SPRS. SPRS stands for Supplier Performance Risk System and the website is https://www.sprs.csd.disa.mil/. This will work as a central database for the government to confirm there is a current assessment on record prior to contract award.
Do not let this task appear too daunting. It is a big undertaking, but it can be broken up into smaller pieces to make the burden less strenuous. Breaking this process down into smaller projects, with their own deadlines, can help ease the burden and assist with staying focused. And if you have any questions, click here to contact the experts at LMS. LMSolutions LLC is a Dayton based cybersecurity consulting firm with proven track record in supporting DoD contracts and assisting companies in multiple industries navigate risk-based assessments. LMS is staffed with Registered Practitioners who are well versed in the CMMC methodology. Our calling is to remain focused on regulatory updates, allowing you to remain focused on your calling.