This rule does two big things:
1) Provides a framework for identifying CUI in government contracts.
2) Mandates NIST SP 800-171 as the minimum requirements for safeguarding CUI for all agencies and their contractors.
Regardless of what happens to CMMC in name or substance, NIST SP 800-171 remains the standard for compliance. Doubts around CMMC have more to do with “how” NIST SP 800-171 will be verified for contractors rather than “if”.
Thousands of companies have conducted NIST SP 800-171 self-assessments, calculated their scores according to the DoD Assessment Methodology, and officially reported those scores to the government via SPRS to comply with the DFARS interim rule issued in November 2020. It is estimated that many of these companies have been “generous” with their scores.
Fedscoop May 13, 2021 issue states: The DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company, which was not named, to move forward in the Cybersecurity Maturity Model Certification (CMMC) process, a spokesperson told FedScoop. Now, it is up to the CMMC Accreditation Body (CMMC-AB) to grant the company Certified Third Party Assessment Organization (C3PAO) status, meaning that it can officially assess the maturity of defense contractors’ cybersecurity in compliance with new CMMC requirements.
DIBCAC can come calling to verify your score at any time. Are you “sincerely or generously” prepared?
SERVICES
We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want.
GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.