DFARS Interim Rule & CMMC: How To Get Ready For Your Assessment

In October 2020, the DoD released their Interim Final Rule, which set a deadline for NIST compliance and a timeline for CMMC compliance. If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).

If you haven’t started planning your compliance processes yet, it’s not too late — do you know where to begin?

What Can You Do Right Now To Start On Your CMMC Compliance?

Level 1 (Basic Safeguarding Of FCI)

Only Performed Maturity Process is required (that is, no documentation).

  • Safeguards in the FAR 52.204-21:
    • Limit Access to Authorized Users
    • Limit Access to types of transactions and functions that authorized users are permitted to execute
    • Control and Limit access to external systems information posted (or processed on public systems
    • Limit physical access to systems to authorized individuals
    • Escort visitors and monitor the activity including audit log of physical access
    • Malicious code protection mechanisms (AV, Anti-Malware, OSINT)
    • Perform periodic scans

CMMC Level 2 (Transition Step To Protect CUI)

Documentation is required at this Maturity Level.

  • 55 additional controls (with 72 total):
    • Regularly perform and test backups
    • Monitor remote access sessions
    • Maintain system audit logs
    • Security Roles and Responsibility training
    • Control and monitor user-installed software
    • Establish an Incident Response program
    • Vulnerability Scans and Remediation in accordance with risk assessments
    • Develop and maintain a System Security Plan (SSP)
    • Develop and implement a Plan of Action to reduce system security deficiencies

CMMC Level 3 (Protecting CUI)

The Maturity: Managed level = Documentation.

  • 58 additional controls(130 total):
    • Continuous Monitoring and Logging
    • Security Awareness Training
    • Backup
    • MFA for remote access
    • Incident Response Plan
    • Configuration Management Plan

Furthermore, you should be planning your budget for the compliance process as well. Do you know what compliance will cost you?

How Much Does A CMMC Certification Cost?

It’s difficult to narrow down an exact cost for CMMC compliance, as it will largely depend on your current state of compliance, and what you will have to do to remedy it. The larger the gap between your current state and a compliant state, the more it will cost.

That’s why you need to develop a budget for your CMMC compliance processes. Your CMMC budget needs to consider the following factors:

Plan Your Resources

To start, take stock of the state of your systems and how they may need updating. Additionally, you’ll want to consider how your systems may or may not be compliant — particularly if you’re in the cloud.

Answer the following questions:

    1. Will your IT systems need updating within the next year?
    2. Are your systems on-premise or cloud-based?
    3. If on-premise, will you be planning on a cloud migration in the coming year?
    4. If cloud-based, are you using the provider’s compliant cloud solution?

With these points in mind, you can better understand how much you’ll need to budget for major projects in the coming year. Whether that means a full cloud migration, or switching to a compliant cloud solution, it’s better to know now instead of later.

Developing Compliant Policies

A core component of Level 3 compliance with CMMC is to both possess and demonstrate documented policies.

Take stock of your current policies and associated practices by answering the following questions:

  1. Do you have documented policies?
  2. Has your team been trained to follow them, and are they tested on their knowledge?
  3. Have your policies been reviewed by a third party?
  4. Do you have a process for updating policies?

Regardless of whether you hire outside support for your policy development or handle it entirely in-house, you’ll need to budget for that time and expense.

Cover Assessments, Audits & Testing

There are two primary expenses you’ll want to include in your budget when it comes to demonstrating your CMMC compliance efforts:

  1. Self-Assessments: Clause 7019 requires contractors to, at a minimum, conduct a Basic Assessment which is a self-assessment of NIST 800-171 compliance. Make sure you’ve allotted for that time and any expenses stemming from hiring outside support.
  2. CMMC Audits: Later on, you’ll also need to have an audit performed by C3PAO’s — unfortunately, the cost of this type of audit isn’t widely known right now, given how new the system is.
  3. Don’t Forget About Your Supply Chain: The Interim Final Rule is also intended to standardize cybersecurity through your supply chain too. Make sure that you consider the additional resources needed to ensure a maturity level commensurate with the information you are sharing with any third parties in your supply chain.

Compliance Will Make You More Competitive

While complying with these new requirements will undoubtedly require a further investment of time and money beyond your standard compliance efforts, it’s important to note the silver lining — speedy NIST compliance (and compliance with CMMC after the fact) will likely reduce your competition.

As it becomes more difficult to operate in the defense sector, smaller competitors will likely drop out. Becoming compliant with NIST and CMMC will require more resources, and not all current contractors will see the benefit of investing further, especially if they don’t have the capital to do so.

That makes the market less competitive for contractors that do make the effort to become compliant. And that’s not the only benefit — these new requirements aren’t arbitrary. Implementing them will have additional benefits as well, making your company more secure and of greater value to your clients.

Get Expert Assistance With Your CMMC Compliance

CMMC compliance will not be a one-time cost, as it is not a one-time snapshot. It is an ongoing state and requires ongoing practices, policies, and support to maintain compliance.

The RetroFit Technologies team is available to help you analyze your current compliance with NIST 800-171 and identify what is needed to meet the new standards required for CMMC certification.

  • Contact our team and book your assessment at a time that fits your schedule
  • Our team will assess your environment and IT tools to determine your current state and challenges
  • Our team will lay out the necessary steps for your company to meet NIST 800-171 and CMMC requirements