You know about the CMMC Interim Rule that went into effect November 30, 2020 bringing several important changes to the Department of Defense’s cybersecurity requirements. Are you ready to jump into action? You should have already reported your NIST SP 800-171 self-assessment score through the Supplier Performance Risk System (you did that, right?) Assuming you’ve completed this important first step, what should you do now?
System Security Plan
You’ll want to create a System Security Plan (SSP) that summarizes how you are compliant with the NIST 800-171 controls. The SSP might include:
- Outlining the controls.
- Defining each control within the environment.
- Documenting the successful implantation of each control.
- Describing the testing procedures.
Plan of Actions and Milestones
If your self-assessment shows that all 110 CUI controls (Controlled Unclassified Information) in the NIST (SP) 800-171 haven’t been implemented, you’ll also have to create a Plan of Actions and Milestones (POA&M). This is a detailed strategy of how your organization will remediate the gaps, and when. Important components of the POA&M should include:
- Identifying the underlying security weakness revealed in the assessment.
- Classifying risk levels of each weakness.
- Detecting the range of each weakness within the environment.
- Creating a planned approach to mitigation.
- Determining the resource(s) responsible for mitigating each weakness.
- Maintaining detailed, clear documentation.
The POA&M is your organization’s roadmap to official certification and is proof of your commitment to remediate any security weaknesses—so make it count. An audit will uncover a weak effort and could delay your certification, putting you at risk of losing a contract.
You are one step closer to compliance once you fully implement your POA&M. However, keep in mind that it could take anywhere from nine to 12 months to completely execute. The sooner you create your POA&M, the more maturity you’ll have. And the more mature your cyber environment, the less of a threat you present.
For primes and subcontractors, patience and flexibility are necessary as the process unfolds over a phased five-year rollout of CMMC. Let SME help get through it. We’re experts in CMMC certification requirements and implementation. We can help you complete and review your self-assessment, SSP, and POA&M. Give us a call 703-378-4110 or email firstname.lastname@example.org.