As you may have seen last week, the new CMMC 2.0 has been released, which reverts us back to the NIST 800-171 set of security controls and families. It also allows for both a Plan of Actions & Milestones (POA&M) and self-assessments.
This is great news for federal contractors, since many of you will no longer need to go through an arduous 3rd party certification process.
However, you will still need to provide a System Security Plan (SSP) and the DOD Supplier Performance Risk Assessment (SPRS) database entry (per DFARS 252.204-7019 and -7020). The security controls still include vulnerability assessments, continuous monitoring, and risk assessments.
Duffy Compliance supports all these services and can help you get your POA&M up to date. We have become experts in NIST 800-171 because we have been doing this for years – even before it was released by the government in 2017.
Additionally, small clients (< 50 employees) in the state of Maryland can also take advantage of a tax incentive by buying cybersecurity services through Duffy Compliance.
If you have any questions about the new CMMC regulations or your compliance efforts in general, please don’t hesitate to reach out.