For all of 2020, there has been a frenzy over migrating from CUI to CMMC. As a matter of fact, Duffy Compliance Services has even been registered to become a C3PAO (Certified 3rd-Party Assessment Organization) for CMMC.
The intention was that CMMC would be in place this fall. Well, like much of 2020, things haven’t gone quite as planned.
At the end of September, the Department of Defense (DoD) announced an Interim Rule where a new mandatory construct, the DoD Assessment Methodology, would serve as a temporary certification process before CMMC is fully in place.
The Interim Rule went into effect November 30, 2020, although full CMMC implementation will not be in readiness until 2025 (see DFARS 252.204-7021).
So what does this mean for you?
For government contractors bidding or working on government contracts, you now have to demonstrate your compliance effort. The Interim Rule allows organizations to do this through a self-assertion method that allows the Defense Industrial Base (DIB) to review their compliance prior to award of new contracts. This process shows the DIB that organizations are working towards protecting CUI on their non-federal systems.
This self-certification process includes reporting the current compliance results to the Supplier Performance Risk System (SPRS). Beginning November 30, contracting officers will check the SPRS database to confirm that a contracting agency has an active SPRS Assessment prior to the award of a new contract or the continuation of an existing one.
SPRS Assessments are good for three years, and must be renewed prior to expiration in order to maintain eligibility for contracts (See DFARS 252.204-7019).
While organizations can self-certify, this process requires addressing all 110 NIST SP 800-171 controls. No control can be left unaddressed indefinitely, and organizations must note timelines to attend to gaps in compliance.
Even though CMMC won’t be in full effect until 2025, if you want to bid – or continue contracts with the DoD – you must show your compliance through the SPRS Assessment.
The good news is you can self-certify for now. However, this process is more than a checklist. You must address each of the 110 controls.
If that feels overwhelming, you don’t have to do it alone. Duffy Compliance can help you go through the whole process, including helping enter your information into the SPRS database and assisting you to ultimately be prepared to meet the CMMC compliance once it becomes available.
If you’re interested in learning more, please don’t hesitate to reach out.