New CMMC Interim Rule Requires NIST Score Requirements for Contracts
Since the unveiling of DFARS/NIST compliance requirements in 2017, the Department of Defense has been stymied by an inability to verify NIST 800-171 compliance among contractors. Between the self-attestation requirements, perpetual POA&Ms and no risk of audits, there has been very little incentive for DoD contractors to fully implement all 110 requirements of the compliance framework.
That all ends on November 30, 2020 with the unveiling of a new CMMC Interim Rule. Under the new regulations, all contractors will be required to publish a score representing their NIST 800-171 compliance progress before they can receive a contract. In addition to the score, contractors must also publish a date by which all requirements will be implemented.
Breaking Down the Impact to NIST 800-171
The government will utilize a vendor report card system called the Supplier Performance Risk System (SPRS) to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”
The assessment referenced above refers to score that is created through a review of your NIST 800-171 implementation as described in your System Security Plan. What does this mean for you? You will need to have System Security Plan in place in order to perform this assessment.
“The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.” – NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4
Once you have received your score, you’ll need to submit it to the SPRS.
The CMMC Impact
The unveiling of the new interim rule has introduced the long-awaited CMMC clause DFARS 252.204-7021. The DoD is implementing CMMC in a phased rollout by only requiring CMMC compliance for specific contracts. This will be the case until on or after October 1, 2025, when CMMC requirements will apply to all DoD solicitations and contracts.
Until then, it’s time for you to get your NIST 800-171 SSP up-to-date and start working on implementing your CMMC practices.
Nathan is an Account Executive at Corsica Technologies. He has combined 4 years of experience selling technology into multiple verticals with a special focus in Local Government and Manufacturing. He was a Portland native for seventeen years, then later moved to Greenville, South Carolina, where he resides now. Nathan is a proud graduate of Clemson University in Accounting and Legal Studies. He is married to Rosie Maederer, and they have a little boy, Tobias, who keeps them on their toes day in and day out. Nathan’s purpose is to find and cultivate new partnerships who are in need of IT leadership and next-generation cybersecurity