- March 2023 DoD is on pace to release a new DFARS Interim Rule that will codify CMMC into law via the DFARS 7021 clause. Once released, the Rule will allow for CMMC requirements to appear in contracts.
- May 2023 DoD expects to start to include CMMC certification requirements in new DoD contracts. CMMC requirements will apply to prime contractors and all subcontractors throughout their supply chain.
Once implemented, CMMC will further increase enforcement of NIST SP 800-171 with two key requirements, including:
-
- At CMMC Level 2, self-attestation of compliance with NIST SP 800-171 will no longer be relied upon. Instead, once every three years contractors will need to undergo outside, independent assessments conducted only by accredited C3PAOs (Certified Third Party Assessment Organizations). Organizations that fail to meet CMMC requirements will be ineligible for future DoD contracts with CMMC clauses.
- SPRS scores from ongoing annual self-assessments of NIST SP 800-171 compliance will need to be signed off by a company or university executive who will be held accountable for the validity of the score.
What does this mean for defense contractors?
First and most important, it is a mistake to conflate NIST SP 800-171 requirements and the CMMC program. Contractors that do so often veer toward inaction. But as the timeline above makes clear, if you currently do work for the DoD that involves handling CUI, then you have a contractual obligation to implement NIST SP 800-171’s 110 security controls today.
DoD’s message is loud and clear. The most prudent move defense contractors can make to safeguard the long-term viability of their business is to start now to raise their organization’s cybersecurity levels and comply with NIST SP 800-171. To do so, first you’ll need to get your SSP (System Security Plan), POA&M (Plan of Actions & Milestones), and other required documentation in order. The SSP and POA&M are the key documents your organization needs to support its required NIST SP 800-171 self-assessment.
Next, conduct an unbiased NIST SP 800-171 self-assessment and submit your score to the DoD’s SPRS, or update that score as needed. Accurately represent your NIST SP 800-171 compliance level (aka your SPRS score). Be prepared for primes to ask for your SPRS score and know that DIBCAC is conducting random audits of SPRS scores.
Know, too, that these efforts are about much more than compliance with DoD regulations. Robert Metzger, co-author of MITRE’s Deliver Uncompromised seminal report and co-chair of the cybersecurity practice at the law firm Rogers Joseph O’Donnell said it well:
“The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business.
Don’t let yourself think that it [cybersecurity] matters the day you happen to get an RFI [Request for Information] or RFP [Request for Proposals] that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors. And then also your regulator.”