You may have missed it, but the CMMC Accreditation Body (CMMC-AB) hosted their March Town Hall Meeting on Tuesday, March 29th. The meeting lasted about an hour and covered several topics surrounding the CMMC.
Topics included training and certification programs and the recent activities of the Defense Contract Management Association’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center, aka DIBCAC.
The team at SME wanted to share some of the most relevant, actionable information from the meeting with our customer base of DIB contractors.
It‘s important to note that DIBCAC is starting to do random assessments, look into compliance documentation, check SPRS scores, and ask for additional self-assessment documentation.
But what are the need-to-knows for Defense Industrial Base contractors?
These are the issues from the CMMC-AB town hall that we’ll discuss in this post:
- What type of assessments will DCMA be conducting, and what do DIB contractors need to be aware of?
- What are the compliance risks and required actions from contractors?
- Where can DIB contractors go for questions and clarification?
So let’s get started with some important notes from the town hall meeting. The full meeting notes are available from the CMMC-AB:
Mr. DelRosso (DCMA/DIBCAC spokesman) then provided an update on medium assessments, which the DCMA DIBCAC is initiating to provide acquisition insight into the DIB. They are a paper-based drill and will be of minimal impact to contractors. They will be used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met. The DCMA will look at high scorers and low scorers and see if there is any pattern that can be identified based on scores and sectors of the DIB to get a real understanding on what is going on. The DCMA DIBCAC will be checking some of these SSPs soon to get a sense of compliance within the ecosystem.
The medium assessments have started rolling out. It might be helpful to understand the difference between medium versus high assessments:
- Medium assessments – paper-based review used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met.
- High assessments – a medium assessment but a higher level review of documentation that is submitted which follows more methodologies
Here’s what you need to be aware of—if your organization has submitted a Supplier Performance Risk System (SPRS) score based on self-assessment, you still need to have a detailed system security plan (SSP) in place and available to DIBCAC personnel.
i) Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’
So what are the compliance risks and required actions for DIB contractors?
You never want to be at risk with DCMA/DIBCAC compliance. You could be subject to invasive document review requests, DCMA Corrective Action Requests (CARs), and ultimately disciplinary actions, loss of contracts, status revocations, etc.
When industry-tested, professional, cost-effective solutions are readily available, who needs any of that?
Where can DIB contractors go for questions and clarification?
If you don’t have a system security plan in place, get in touch with our team today.
You still have time to get all of your documentation in place.
With our DIB-contractor-tested Compliance Management Platform, we can crosswalk from NIST 800-171 to CMMC and DIBCAC medium assessments. We’ll help you identify any gaps. Our team of Registered Practitioners will work with your team to build an SSP and an accurate, compliant SPRS Score.
As a designated CMMC-AB Registered Provider Organization (RPO), SME is uniquely positioned to provide pre-assessment advice, consulting services remediation, and compliance recommendations to government contractors.
SME takes a different, more efficient approach to help our DIB clients achieve compliance. When you partner with us, you get a dedicated engineer who will help you build an action plan for a DCMA DIBCAC medium assessment.
At SME, we have a team of experts with all the extensive experience and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity. We are laser-focused on information security, so you don’t have to be.
Right now we’re offering a no-obligation SSP assessment at no cost to you.
Call us at 703-378-4110. Schedule Your Free SSP Assessment Today!
