An Interim CMMC version was released on September 29, 2020 finishing off a tumultuous month at the organization. On September 2, 2020 two members of the Cybersecurity Maturity Model Certification Accreditation Board were voted off in the midst of a conflict of interest controversy involving a pay to play strategy. Karlton Johnson is now the chairman of the board.
DoD Interim Ruling
The interim ruling, DFARS 252.204-7012 Interim Rule, places immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors. Among the changes is a requirement for vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology.
This assessment is to be completed by the contractor before DoD contracts can be awarded. The DoD has encouraged contractors to respond immediately.
This assessment is based on a scoring methodology of security requirements. The methodology is comprised of three levels (basic, medium and high). The interim rule requires a basic level self-assessment to be completed by the contractor.
Medium or high assessments must be completed by the government. CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.
Self-attestation to NIST 800-171 is already a requirement under current regulations. However the interim ruling allows the government to inspect compliance more carefully.
This new enforcement will become effective on November 30, 2020 and is a requirement for the award of government contracts. This gives those affected little time to respond as the DoD is only receiving comments through November 22.
Supplier Performance Risk System (SPRS)
The SPRS is the DoD’s web-enabled enterprise application that gathers, processes, and displays data about the performance of suppliers. DFARS clause 252.204-7012 will require contractors to have assessments completed. After completion contractors will have an opportunity to access their SPRS score and rebut the findings.
Background on CMMC
CMMC was created by the Office of the Under Secretary of Defense for Acquisition & Sustainment as an effective means of implementing risk based management approaches to cybersecurity. It is a cooperative effort between the DoD and industry and is coordinated by the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB).
The CMMC was enacted to place cybersecurity requirements on DoD contractors to achieve levels of cybersecurity maturity to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in the DoD supply chain.
The CMMC (Cybersecurity Maturity Model Certification) Accreditation Body will approve Third Party Assessment Organizations (C3PAOs). These Third party organizations, when accredited, will be authorized to conduct CMMC assessments and grant CMMC certifications. The CMMC is still on target for full implementation in 2025.
Reactions to the CMMC Interim Ruling
There has been some disappointment voiced by federal contractors on the immediacy of this change because the industry will, in effect, have limited ability to respond. This is because this ruling was not published as a proposed draft.
Additionally, many small business owners have expressed concerns about the increased cost involved in hiring third party cybersecurity assessors to verify compliance to the National Institute of Science and Technology standard. To many the assessments seem redundant with final requirements of the CMMC.
The Importance of a Secure Supply Chain
The security of supply chain in the Defense Industrial Base is vital to the U.S. There has been a broad recognition of the lack of sufficient security among suppliers to the DoD. As with other industries, defense contractors have been behind the curve on securing sensitive data. Cyber supply chain risks include theft of information, tampering, and insertion of malicious software.
Hostile nation states including, China, Russia, Iran, and North Korea are actively involved in theft and sabotage of DoD information. Because of the inherent complexities of managing a multi tiered interconnected supply chain it is essential to provide a uniform set of requirements for all members. This latest revision to the CMMC is a stop gap measure to shore up vulnerabilities until its full implementation is complete.
The Interim CMMC Version released in October underlines the governments commitment to protecting the DoD from the very immediate and intrinsic threat of data breach. In response to these developments CVG Strategy is providing consulting services to help your organization ramp up to compliance for DFARS 252.204-7012 and NIST 800-171.
CVG Strategy, will also be providing pre-assessment training, implementation and subject matter support as final CMMC requirements roll out.