New CMMC Interim Rule Requires NIST Score Requirements for Contracts
Since the unveiling of the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) compliance requirements in 2017, the Department of Defense (DoD) has been stymied by an inability to verify NIST 800-171 compliance among contractors. Between the self-attestation requirements, perpetual Plan of Actions and Milestones (POAMs) and no risk of audits, there has been very little incentive for DoD contractors to fully implement all 110 requirements of the compliance framework.
That all ended on November 30, 2020, with the unveiling of a new CMMC Interim Rule.
What is the CMMC Interim Rule?
The DoD is issuing an interim rule to amend the DFARS to implement a DoD Assessment Methodology and CMMC framework to assess the contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
Under the new regulations, all contractors will be required to publish a score representing their NIST 800-171 compliance progress before they can receive a contract. In addition to the score, contractors must also publish a date by which all requirements will be implemented.
Breaking Down the Impact to NIST 800-171
The government will utilize a vendor report card system called the Supplier Performance Risk System (SPRS) to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”
The assessment referenced above refers to score that is created through a review of your NIST 800-171 implementation as described in your System Security Plan. What does this mean for you? You will need to have System Security Plan in place in order to perform this assessment.
“The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.” – NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4
Once you have received your score, you will need to submit it to the SPRS.
The CMMC Impact
CMMC is now on a 5 year roll out plan and after October 1st, 2025, all contractors will be required to meet CMMC compliance on all DoD solicitations and contracts. During this phase, your organization should be considering your current System Security Plan (SSP) and your POAMs. Partnering with a reputable 3rd party vendor can help to address your concerns and help understand the GAPS in your security and compliance plan. Corsica Technologies can help your organization understand the impact your security score might bring.
Our team of compliance experts are here to help. If you do not have the NIST framework in place or if your team needs help meeting your POAMs, schedule a call with one of our experts here or read more about how we help organizations with NIST 800-171.