It should come as no surprise that things have changed again. Many of you have already heard about the roll out of the Cybersecurity Maturity Model Certification (CMMC) over the next 5 years and hopefully have started working towards the required level of certification for your organization. But have you heard about the CMMC Interim Rule?
The CMMC Interim Rule includes a new DoD methodology for NIST 800-171 starting November 30, 2020. The Interim Rule adds DFARS 252.204-7019 and 252.204-7020 and allows for a scoring methodology (Basic, Medium, High). This new methodology requires all DoD contractors and sub-contractors to complete a NIST 800-171 self-assessment and receive a score through the Supplier Performance Risk System (SPRS).
A Basis Assessment is a self-assessment completed by the contractor, while the Medium and High Assessments are to be completed by the Government. The Government will select contractors for Medium or High review based on the nature of the program.
Please note all self-assessments completed by contractors are given a Basic score, in order to achieve a Medium or High score the assessment must be reviewed by the government.
Contracting Officers are required to verify the offeror has a current NIST 800-171 DoD Assessment on record prior to contract aware or the exercise of an option.
Certain aspects of the interim rule may change with the issuance of a final rule and additional guidance. Until then, DoD contractors should make plans to implement the new Assessment requirement quickly, and should carefully review all DoD solicitations and contract modifications to understand whether or not the new rule impacts them.
What does this mean for you? It is time for you dust off your POAM and SSP, create an account with SPRS, and go through the self-assessment process.
To find out more about our CMMC auditing services, or any other IT/security related questions, please give us a call at 703-378-4110 or email firstname.lastname@example.org.