What CMMC means for you

Whether you’re a defense contractor, or a supplier to defense contractors, the Cybersecurity Maturity Model Certification (CMMC) is likely to have a direct impact on you…. And soon.  Similarly, Managed Service Providers (MSPs) supporting sub-contractors are already seeing interest in CMMC skyrocket.

The NIST 800-171 cyber security standard is already a requirement for Department of Defense (DoD) contractors (DFARs).  CMMC extends NIST 800-171 to include certification.  There are three important CMMC recent developments:

1) Prime contractors are starting to enforce NIST 800-171 compliance, even in advance of CMMC.

While the Defense Federal Acquisition Regulation Supplement (DFARS) has required NIST 800-171 for at least five years.  Enforcement has been lax.  Many subcontractors simply put together a Plan of Action and Milestones (POAM), and left implementation behind.  Now primes are starting to enforce compliance themselves, asking for completed security questionnaires and validation.

If you have a DoD subcontract, you’ll likely start to see compliance terms in your RFPs and contracts, along with auditing rights.

2) The DoD is phasing in a self-reported score on each NIST 800-171 control. Self-reported compliance is getting teeth, but still selectively.

Similar to the prime contractors enforcing NIST 800-171 compliance, the DoD itself is tightening the reigns.  A CMMC Interim Rule was recently issued and will take effect on November 30, 2020.  This rule requires defense contractors to self-report their NIST 800-171 compliance for select contracts, using a specified scoring methodology. 

You will want to check your RFPs to see if “DFARS 252.204-7012” is included.  If so, and if you want a chance to win, you will have to self-report a compliance score. Contract awards that include this clause will be subject to previews of the reported scores, and perhaps audits.

If you have a DoD contract, CMMC may be coming sooner than you might think.  Fortunately, some funding for compliance may be available or refundable through the contracts.

3) It appears CMMC will expand beyond the DoD, to all federal contracts.

Already the General Services Administration (GSA) has started advising their suppliers to prepare for CMMC.  Similarly, the Department of Homeland Security appears to be heading towards adopting CMMC.  As more federal contracts head in this direction, look for states to follow suit.  While a few states may choose to develop their own standards, most will be oriented to use what’s already developed and gaining momentum.

The CMMC buzz has accelerated around CMMC as suppliers and their IT partners prepare for this major cyber security requirement.  Many MSPs are readily capable of implementing the technical controls associated with CMMC.  However, few are prepared to support that implementation with the over-arching security programs and administrative controls that include governance (policies) and compliance audits for compliance.  If CMMC is entering your world, feel free to reach out for a consultation.