DCMA Enforcing NIST SP 800-171 Documentation – Surprise Assessments are in effect! – Are You Ready!
Though the DoD has delayed CMMC certification, Defense Contract Management Agency is now enforcing that contractors have all NIST SP 800-171 documentation in place by performing surprise audits. DCMA created the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to examine companies who have self-assessed compliance with NIST requirements at all CMMC levels.
If subject to a surprise assessment, the DIBCAC will initiate contact with the contractor on a Monday and will require them to submit their gap analysis, plan of actions and milestones (POA&M), and system security plan (SSP) by that Friday.1 In order to prepare for any spontaneous audit, companies must complete and ensure the accuracy of the these documents immediately.
NIST SP 800-171 Gap Analysis
First, your organization needs a compliance gap analysis detailing compliance-related activities associated with each of the 110 NIST SP 800-171 cybersecurity requirements. You must assess each control requirement as “fully compliant,” “partially compliant,” “not compliant” or “not assessed.” The result of a NIST SP 800-171 gap analysis is a compliance score, derived from the number of controls a company assesses as “fully compliant.”
In September 2020, the DoD published the DFARS Interim Rule requiring contractors to report their NIST SP 800-171 compliance score through the Supplier Performance Risk System (SPRS) no later than November 30, 2020. Over a year later, many organizations still have not reported their compliance score. Some organizations have been denied contract modifications or new contract awards because they have not done so.
The CMMC Registered Practitioners at GjB and Associates have a thorough understanding of each CMMC requirement.
Plan of Action & Milestones
Second, a Plan of Action & Milestones is expected to be in place. The Plan of Action & Milestones is a compliance remediation plan expressed in a format defined by DoD. The POA&M is created by your assessment and details each deficiency, what will be done to remediate the compliance gap, and a timeline of when the gap will be remediated. The gap with the last remediation date is the “Plan of Action Date”, or the date when full compliance will be achieved. GjB and Associates can help produces your POA&M.
System Security Plan (SSP)
Lastly, a System Security Plan must be completed. The SSP illustrates the detailed architecture of security controls required by NIST SP 800-171 and provides high-level compliance plans or evidence of compliance (depending on status) for all 110 requirements. GjB and Associates can also produce this document for your organization based on the results from the assessment and POA&M. GjB and Associates has also developed nearly 100 Policies and Procedures to assist you in confirming what is in your Systems Security Plan.
Efficient, Cost-Effective Documentation
Security plans, assessments, and policies and procedures are a critical element of any NIST SP 800-171 compliance effort. A gap analysis, POA&M, and SSP documents must be produced to provide a foundation for NST SP 800-171 and CMMC compliance. The investment in time to prepare and review each document for accuracy will pay off as your organization moves closer to its CMMC assessment. If you do not have these documents in place and need efficient, cost-effective help, or you would like to have an external review of your current compliance efforts, email us at sales@gjbandassociates.com.
Sources
1https://cmmcab.org/videos/cmmc-town-hall-march-2022/