CMMC In 2021: Is Your Organization Mature?

Thanks to the DFARS Interim Final Rule that went into effect Nov. 30 2020, all DoD contractors and subcontractors are now required to submit scored self-assessments against NIST 800-171 requirements.

Has your company already completed this step? Are they prepared to do so? What do you need to know to prepare and protect your business?

Make sure you know what you need to be working on in 2021 to ensure you’re confidently CMMC compliant.

Reviewing CMMC In 2020

CMMC stands for Cybersecurity Maturity Model Certification. It is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and CUI shared within the supply chain.

In October 2020, the DoD released their Interim Final Rule, which set a deadline for NIST compliance and a timeline for CMMC compliance. These new compliance standards not only put DoD contractors on the clock, but also presented them with far more rigorous expectations than they’ve been subject to before.

CMMC builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).

The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.

The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit CUI. These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.

As a U.S. DOD contractor who collects, stores, or transmits Covered Defense Information (CDI) or CUI you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance.

Tracking The Changes Imposed By CMMC

DFARS 252.204-7019

This clause sets a requirement for an assessment of NIST 800-171 from Nov. 30, 2020, onward. Building off the DCMA program, it will act as the bridge to CMMC over the coming years.

Assessments fall into three categories:

  • Basic (self-assessment)
  • Medium (conducted by DCMA)
  • High (conducted by DCMA)

The results of any such assessments are required to be uploaded to the Supplier Performance Risk System (SPRS). The SPRS will act as the central database, holding results of NIST assessments and the CMMC certifications for DoD review.

DFARS 252-204-7020

This clause lays out two requirements:

  • Contractors are to provide access to “facilities, systems, and personnel” in support of assessments.
  • “Subcontractors have results of a current assessment in SPRS prior to contract award.”

These requirements consolidate all assessment-associated info and ensure that assessors can access systems for the purpose of an assessment.

DFARS 252-204-7021

This clause requires CMMC to be included in all contracts moving forward from the deadline. The details of CMMC compliance align with previous versions released by the DoD.

Furthermore, it’s important to note that DFARS 252.204-7012 hasn’t been modified. This means the underlying requirements for FedRAMP Moderate, NIST 800-171, and clauses (c) through (g) will continue unchanged.

Who Needs To Comply With CMMC?

If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).

What Happens If You’re Not Compliant?

The penalty for CMMC compliance is simple — if you’re not compliant, you can’t be awarded defense contracts. There are no fines or conventional penalties. You’re just unable to operate in the DoD contracting space any longer.

While complying with these new requirements will undoubtedly require a further investment of time and money beyond your standard compliance efforts, it’s important to note the silver lining — compliance will likely reduce your competition.

As it becomes more difficult to operate in the defense sector, smaller competitors will likely drop out. Becoming compliant with CMMC will require more resources, and not all current contractors will see the benefit of investing further, especially if they don’t have the capital to do so.

That makes the market less competitive for contractors that do make the effort to become compliant. And that’s not the only benefit — these new requirements aren’t arbitrary. Implementing them will have additional benefits as well, making your company more secure and of greater value to your clients.

Start Developing CMMC Maturity In 2021

A key consideration in your CMMC planning and timeline is the concept of maturity. That is, the longer your organization has a CMMC compliant cybersecurity plan in place, the more “mature” it is considered to be.

It is estimated that an effective plan will take 6-9 months to roll out, but project managers will be looking for more experience while maintaining such a plan. That means, the sooner you can define and implement your plan, the sooner it will be in place, and the more experience (and maturity) you can achieve. That’s why you need to get started right away…

3 Steps To Compliance In 2021

Planning your compliance in 2021 begins with assessing the state of your systems, then developing a roadmap to remediation, and finally, implementing the IT tools and best practices to maintain it.

Follow these steps to start your journey to NIST 800-171 and CMMC compliance in 2021:

Plan – Readiness Assessment

  • Assess your current environment and future needs
  • Determine the level of CMMC compliance needed
  • Summary review of your existing SSP and POAM (if possible)
  • Develop a roadmap for NIST 800-171 and CMMC compliance
  • Discuss high-level budget

Prepare – Gap Assessment

  • Establish/Document System Boundaries
  • Review Existing Policies/Procedures
  • Review IT Environment
  • Review Physical Security Practices
  • Assess Entirety of Evidence Collected
  • Identify/Document Gaps
  • Provide Security Assessment Report and POAMs

Protect – Remediation

  • Document Policies/Procedures
    • For client customization of specific administrative policies and practices
    • For specific IT policies and practices
  • Implement IT Plan
    • Server/Workstation Configurations
    • Hardware/Software Installations
  • Finalize System Security Plan

Need Expert Assistance Implementing CMMC?

Don’t go into your CMMC audit without the confidence that you’ll pass with flying colors.

RetroFit Technologies will help — we have extensive experience helping contractors like you to maintain compliance with complex systems like DFARS and NIST. We will do the same for your upcoming CMMC audit.

Start developing CMMC maturity right away with expert assistance from RetroFit Technologies.