You thought you needed to be CMMC compliant, and then the rules changed.
At the end of September, 2020, the Department of Defense (DoD) announced an Interim Rule where a new mandatory construct, the DoD Assessment Methodology, would serve as a temporary certification process before CMMC is fully in place.
The Interim Rule went into effect November 30, 2020, although full CMMC implementation will not be in readiness until 2025 (see DFARS 252.204-7021).
Even with the new CMMC 2.0, the Interim Rule is still in effect, and, in fact, major contractors like General Dynamics, Northrop Grummon, and Raytheon specifically note on their websites that their subcontractors must have a score entered into the SPRS database in order to continue on existing contracts or to bid on new ones.
What the Interim Rule means to you:
The DFARS Interim Rule requires contractors and subcontractors to perform a self-assessment to NIST-SP-800-171 with the eventual goal of becoming certified under the CMMC program. The goal of this initial exercise is to submit your NIST 800-171 self-assessment score into the Supplier Performance Risk System (SPRS).
It seems simple enough…. except this “Basic” self-assessment against the 110 security controls across 14 domains listed in NIST-800-171 must be completed in accordance with the NIST SP 800-171 DoD Assessment Methodology, Section 4-Levels of Assessment. That document further explains that the use of NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information is required:
4) Levels of Assessment
a) Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment
i) The Basic Assessment is the Contractor’s self- assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information” and Section 5 and Annex A of this document.”
A more arduous task than you might think
Still seems like a big task, but manageable…. Until reviewing that document and realizing that, in order to consider any given control as met, NIST 800-171A requires a company to meet all of the assessment objectives listed therein. Those 110 controls just blew up into 319 individual bits for you to get your perfect score of 110.
Not only that, control 3.12.4 requires the development of a completed System Security Plan (SSP), and this control must be implemented, not just a future action item. It must be in place prior to submitting the score. In other words, no SSP = no SPRS score… even if you correctly implemented all other 109 controls. Developing an SSP is no quick or easy task.
So, in order to submit your self-assessment score into the SPRS system, you must have in place an SSP describing your system, your self-assessment against the 800-171 requirements (using the DOD Methodology against all 319 assessment objectives), and a Plan of Action indicating when/how you will get your score up to a perfect 110.
Not to be taken Lightly
The Department of Justice (DOJ) recently announced that the DOJ will actively pursue companies who receive federal funds through government contracts when they fail to follow cybersecurity practices. The DOJ will use the False Claims Act as the basis for penalizing companies who choose to allow business practices with unacceptable cybersecurity risk. The standard of allowing these business practices falls under three categories: 1) actual knowledge, 2) acts in deliberate ignorance of the truth or incorrectness of information, 3) acts in reckless disregard of the truth or incorrectness of information.