We want to share a critical memorandum (to read the full article please click here) that affects all Department of Defense (DoD) contractors. It was released on June 16, 2022, to several agencies within the DoD Acquisition and Sustainment regarding cybersecurity mandates.
The memorandum rules the enforcement of the implementation of cybersecurity safeguards according to NIST SP 800-171, as well as a Plan of Action and Milestones (PoAM) for each requirement not yet implemented.
It is crucial for companies/contractors to understand who must comply, the timeline, the penalties of failure, and lastly, the relationship with CMMC 2.0 (DoD’s Cybersecurity Maturity Model Certification Version 2).
According to the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 enacted in 2016, all contractors that process, store, or transmits Controlled Unclassified Information (CUI) must implement the security requirements of NIST SP 800-171.
A new DFARS clause 252.204-7020, released on November 30, 2020, ruled new requirements for the same purpose. For all future solicitations and contracts, contractors must post a summary of level scores of their NIST SP 800-171 self-assessment in the Supplier Performance Risk System (SPRS), together with granting access to Government personnel to conduct a High or Medium NIST SP 800-171 DoD Assessment to validate the posted information.
Having said the above, if you handle CUI, and your agreement with the DoD is after 2016, or you want to bid for any future contracts, you must be NIST SP 800-171 compliant NOW. Failure to comply would result in withholding progress payments, foregoing remaining contract options, and potentially terminating the contract in part or in whole.
Now, you may ask how all the above relates to the CMMC. In terms of the framework, CMMC is based on the NIST SP 800-171. However, the difference lies in the way the contractor needs to implement it. The referred memorandum enforces the NIST SP 800-171 Self-Assessment and PoAM, while the CMMC has an entirely different approach involving a third party. CMMC requires a third-party deep audit/assessment to verify all the pieces needed for compliance evidence; this being an expensive and lengthy process to obtain “Certification.”
So far, it is not clear what the deadline is for CMMC 2.0. However, it is public knowledge that the Pentagon plans to release the “interim rule” to implement the CMMC 2.0 program by May 2023, with initial requirements showing up in DoD contracts 60 days after the rule publication.
We recommend adopting the NIST SP 800-171 as a cybersecurity framework as soon as possible and starting with the self-assessment and PoAM required by DFARS 252.204-7020, as it goes in the same direction as CMMC 2.0. This could potentially reduce the cost and time for the estimated 6 to 18 months required for the preparation and actual certification for CMMC 2.0.
We at Empowered IT Solutions have the tools and expertise to assist companies seeking either the self-assessment and PoAM or preparation for the CMMC 2.0 audit for certification. You can learn more about CMMC compliance here or by scheduling a call with us to understand CMMC and how its requirements can affect your organization.