What new CMMC rule and deadline mean to you

The Defense Department has codified NIST SP 800-171 and set a deadline of Nov. 30 for contractors to register their compliance. It's the bridge to CMMC compliance.

Grab a red pen and circle Nov. 30, 2020 on the calendar. That’s the next deadline in the government’s initiative to improve cybersecurity and every contractor has reason to mark the date.

Government contractors with a DFARS 252.204-7012 clause in their contracts are required to conduct a self-assessment of NIST SP 800-171 standards and enter their results into the Supplier Performance Risk System by the end of next month.

What’s the big deal, you ask?

Government contractors have long been asked to follow these standards, however, this deadline, shines a spotlight on how compliant companies really are across 110 controls, giving each company a score for their efforts. Those who don’t have their results entered will not be eligible for an award on a contract containing the clause.

Every control is worth 1 point, while those controls NOT met subtract up to 5 points. It’s not only possible, but likely, that many companies will have to report a negative score, despite having basic cyber security protections in place. That’s not a good look for a contractor or sub looking to renew or secure contract wins.

The late-September DFARS announcement came as a bit of a surprise to the industry. Cybersecurity self-reporting has been a scout’s honor policy with little oversight or validation until recently. The Cybersecurity Maturity Model Certification, or CMMC, a third-party certification, was already big news and rumored to start in 2021. Large contractors with teams of cyber pros on staff may be ready to demonstrate how they meet the required practices for each Maturity Level. However, small and medium sized businesses are struggling to prove their practices meet the mark—wondering if the IT investments necessary to establish higher Maturity Levels will pay off.

The connection between NIST SP 800-171 and CMMC

CMMC uses a framework based largely on NIST 800-171 standards. From a practices and policy perspective, meeting NIST 800-171 is a natural bridge to CMMC.

Those meeting the requirements by Nov. 30 are poised for CMMC at Maturity Level 3. While that sounds like excellent news, analysts say few—if any—firms are expected to be a hundred percent compliant. It’s also worth noting that those who score low on NIST 800-171 standards may still be able to be CMMC certified at Maturity Level 1

Getting ready for what comes next

All DOD contractors and subcontractors need to familiarize themselves with their security requirements well ahead of the deadline. Those with the DFARS 252.204-7012 clause need to begin their assessment process immediately. Evaluating 110 controls will take time. It will also allow the controls to gain maturity in your organization, a requirement to meet a few CMMC practices.

Those contractors without DFARS requirements aren’t off the hook. CMMC is still just around the corner and every company within the Defense Department supply chain, that’s 300,000 contractors and subcontractors, will need to be certified to contract with the DOD when it’s fully implemented.

Knowing what CMMC Maturity Level is needed (determined by the type of DOD data and Controlled Unclassified Information (CUI) stored or processed on their networks) is just the first step.

Both groups can benefit from a third-party readiness review. These gap analysis, using NIST 800-171 or CMMC Maturity Level practice standards, can point out practices that need a quick fix—like rewriting company policies. They also can provide a heads up on practices that will require more substantial investments or time and resources.

Perhaps most importantly, an independent review can catch things your self-assessments may have missed and prevent your score or certification status from being a surprise.

2020 has given us enough of those. Don’t let this one get added to the list.