• Home
  • IT Risk Management & Compliance
    • CMMC Assessment & Preparation
    • NIST SP 800-171 / DFARS Compliance
    • FISMA Compliance
    • GDPR Compliance
  • Managed Cyber Security
  • Managed IT Services
  • Who We Are
    • Careers
  • Resources
    • CMMC 2.0 Updates Guide
    • CMMC News
    • CMMC Guide for DoD Contractors
    • NIST 800-171 Guide
    • DFARS Interim Rule Guide
    • DFARS Compliance Guide
    • FISMA Compliance Guide
  • Blog
  • Help Desk
  • Free Consultation
  • Contact Us

Support: 800-699-0925 Sales: 800-481-1984

SysArc

IT Company

  • Services
    • IT Risk Management & Compliance
      • Cybersecurity Maturity Model Certification (CMMC) Assessment & Preparation
      • NIST SP 800-171 / DFARS Compliance Solution
      • FISMA Compliance Solution
      • GDPR Compliance Solution
    • Microsoft GCC/GCC High Migration Services
    • Managed Cyber Security
    • Managed IT Service & Support
  • Who We Are
    • Careers
  • Resources
    • CMMC 2.0 Update Guide
    • CMMC News
    • CMMC Guide for DoD Contractors
    • NIST 800-171 Guide
    • DFARS Interim Rule Guide
    • DFARS Compliance Guide
    • FISMA Compliance Guide
  • Blog
  • Help Desk
  • Free Consultation

Who Provides CMMC Certification?

February 18, 2022 by SysArc

CMMC-AB Logo The CMMC Accreditation Body (CMMC-AB) is the only authorized entity to choose third-party assessors (C3PAOs) who can give certification for CMMC.

Registered Provider Organizations (RPOs), like SysArc, can provide excellent tools and services to help the organization reach compliance standards, but they do not generally provide official assessments or certifications.

How the CMMC-AB Chooses Third-Party Assessors

The CMMC-AB is responsible for role alignment between the CMMC, the CMMC Assessment Body (CMMC-AB), and the CMMC Certification Body (CMMC-CB). The role alignment identifies which companies are performing what tasks within the CMMC process.

The assessment body evaluates all organizations that want to provide certification to ensure they are following the appropriate standards and there is no conflict of interest. The certification body then audits organizations that provide CMMC assessments and ensures they are correctly following assessment process guidelines.

Any person or organization wishing to provide CMMC certification must be approved by the CMMC-AB through this application process.

How to Schedule an Official Certification Assessment

The CMMC certification process is divided into two phases: the self-assessment or an assessment by a third-party consultant, and the official assessment. The self-assessment can be completed at any time, while organizations must wait until sometime in 2022 for their official assessment appointment since assessors are still in training.

One of the key steps in becoming a CMMC certified organization involves preparing for your official assessment during this period. Organizations Seeking Certification (OSCs) can prepare by working with a reliable CMMC Consultant to work towards compliance now.

If you are a DoD contractor and are wanting to learn more about how to prepare your organization for DFARS and CMMC, read our CMMC Compliance Guide or contact us for more information about how SysArc can help you meet DFARS requirements and prepare for CMMC.

Filed Under: CMMC

What Is the Difference Between DFARS and CMMC?

November 19, 2021 by SysArc

To understand the difference between DFARS and CMMC, it is helpful to know why the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) in the first place.

DoD Seal The DoD created CMMC as a “verification component” of the Defense Federal Acquisition Regulation Supplement (DFARS) law. What does “verification component” mean? When DFARS 7012 was originally passed, DoD contractors only needed to state that they implemented the cybersecurity controls of DFARS. Basically, implementation was based on trust. This resulted in a poor adoption rate within the Defense Industrial Base, which pushed the DoD to clamp down and create a verification mechanism to ensure DoD suppliers were in fact compliant with DFARS. While CMMC is still being rolled out, this verification mechanism will come in the form of 3rd party audits from CMMC Third-Party Assessor Organizations (C3PAOs).

In short, DFARS is the legal text for the cybersecurity requirements that all DoD suppliers must follow, and CMMC will be the verification mechanism for ensuring that it’s actually being implemented.

With the new CMMC 2.0 model, not all DoD Contractors will be subject to a 3rd party assessment — only ones that are working on what the DoD calls “prioritized acquisitions.” Some will only be required to perform a self-assessment and affirm their compliance annually. The DoD has not yet announced how it will prioritize acquisitions.

Still, with the Department of Justice (DOJ) announcement that it will start pursuing government contractors who falsify cybersecurity affirmations, it is imperative that contractors have the documentation and evidence to back up their affirmation of compliance, even if they will not be assessed by a C3PAO.

If you are a DoD contractor and are wanting to learn more about how to prepare your organization for DFARS and CMMC, read our CMMC Compliance Guide or contact us for more information about how SysArc can help you meet DFARS requirements and prepare for CMMC.

Filed Under: CMMC

CMMC 2.0 Guide for DoD Contractors

November 15, 2021 by SysArc

As a Managed Security Service Provider (MSSP) that specialises in helping DoD contractors navigate the complexities of cybersecurity and compliance, we’ve been closely monitoring the evolution of the Cybersecurity Maturity Model Certification (CMMC) since its inception in 2020 and going back to 2016 when DFARS 7012 was just getting off the ground.

On November 4th, 2021, the DoD released CMMC 2.0 which includes several updates and changes to the original framework.

This short guide was written for DoD contractors so that they can understand what these changes mean for their organizations and take the appropriate actions for their company.

Summary of Key Updates: CMMC 1.0 vs. CMMC 2.0

CMMC 1.0 vs. CMMC 2.0

  • Only 3 CMMC Levels: CMMC Levels 2 and 4 from the original CMMC framework have been eliminated, leaving only 3 current CMMC Levels. These Levels are detailed below.
  • Level 1: Now only requires an annual self-assessment and affirmation by company leadership. No changes to the 17 basic cyber hygiene practices required.
  • Level 2: The “old” CMMC Level 3 now becomes Level 2. 20 controls have been eliminated from the original framework’s Level 3 requirements, leaving contractors only having to implement the 110 controls from NIST 800-171. The DoD will identify “prioritized acquisitions” that must undergo an independent third-party assessment against the new Level 2 requirements. All other organizations will only need to perform a self-assessment and affirmation by company leadership.
  • Level 3: This level will replace CMMC Levels 4 and 5 from the original framework. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172 and assessments will be government-led.

Visualizing the New CMMC 2.0 Levels:

A diagram of CMMC 2.0 Levels

Source: https://www.acq.osd.mil/cmmc/about-us.html

CMMC 2.0 Changes Explained

Beyond the modification of the Levels, here are two key changes that DoD contractors need to be aware of.

Change One: Assessment Requirements

Level 1: Self-Assessments

One of the biggest complaints from DoD contractors was that CMMC 1.0 required them to undergo third-party certification, even at CMMC Level 1. CMMC 2.0 eliminates this requirement. Instead, contractors can perform their own self-assessments and will only be required to affirm annually that they comply with CMMC 2.0 Level 1.

Level 2: Third-Party Assessments & Self Assessments

CMMC Level 2 is divided into two separate assessment requirements. Only DoD Contractors working on “prioritized acquisitions” will need to undergo a third-party assessment every 3 years. All other contractors are permitted to perform a self-assessment and affirm annually that they comply with CMMC 2.0 Level 2.

The DOD has not yet announced how it will prioritize acquisitions.

Level 3: Government-Led Assessments

CMMC Level 3 applies to only the most sensitive and high-risk DoD projects. Therefore DoD contractors who fall into this category will need to undergo a government-led assessment every 3 years.

Change Two: Allows Plan of Action and Milestones (POA&M)

Another big criticism from DoD Contractors was that they were being required to meet every single practice and process for their required Level of certification. CMMC 2.0 allows for the DoD contractors to submit a Plan of Action and Milestones, also known as a POA&M, for those practices and processes not yet met.

Important: DFARS 7012, 7019 & 7020 Are Still Required

A very important fact is that DFARS 7012, 7019 and 7020 are still required for DOD contractors who handle controlled unclassified information, or CUI. To comply with these requires the implementation of NIST 800-171 which equates to CMMC Level 2 – Advanced.

Final Thoughts & Next Steps

The bottom line is that CMMC 2.0 significantly streamlines the requirements and eliminates many of the barriers to compliance, especially for smaller DoD contractors with less resources to dedicate to cybersecurity compliance.

We continue to strongly advise that companies do not sit on the sidelines and continue to explore their options for meeting their required Level of CMMC compliance. We heed this advice because of the following reasons:

  • DFARS 7012, 7019 and 7020 are still required for DoD contractors Handling CUI.
  • Early adopters of NIST 800-171 are likely to have a market advantage with their DoD customers and partners.
  • DoD contractors should consider the risks to their organizations and balance sheets from ransomware and other types of breaches that NIST 800-171 can defend against.

We understand that many DoD contractors lack the resources in-house to complete their own self-assessments. That’s why many contractors choose to outsource the task to a provider like SysArc. We can take the burden of compliance off your team’s plate while at the same time protecting your IT infrastructure against cyber criminals.

If you have questions about implementing any of the cybersecurity controls in CMMC and about how SysArc can help, feel free to give us a call. We’ll be happy to speak with you and help you find a solution that works best for your business.

Filed Under: CMMC

How CMMC Combats the Rising Threat of Ransomware

October 6, 2021 by SysArc

ransomware and CMMC Commercial businesses and government organizations alike face a growing digital threat from Ransomware, more so now than at any time in recent memory. 

Ransomware is a type of malware that exploits vulnerabilities to encrypt devices, taking control of an organization’s computer systems and holding their data for ransom. These types of attacks have risen 150% in 2020, with the amount paid out by victims in ransoms increasing by over 300%.

Government agencies have been especially concerned with the threat ransomware poses; thousands of local government organizations have been affected by ransomware attacks, and sensitive information makes federal agencies significant targets as well. But non-government entities also form large targets and need to be proactive to protect themselves from this type of attack.

Ransomware Targets Intellectual Property

The Department of Defense (DoD) is especially concerned with the threat of ransomware since the DoD houses valuable intellectual property and controlled unclassified information (CUI). This concern extends to the private sector when private contractors work with the DoD and also must access this information to complete projects.

The Department of Defense needs contractors to be completely protected against potent malware such as ransomware so that the nation’s intellectual property isn’t compromised by bad actors.

Additionally, government contractors have their own intellectual property to protect, providing motivation for strengthening security beyond government mandates. 

These are just a few of the reasons why the DoD is tightening security requirements with CMMC.

Protecting Your Network with CMMC

CMMC is designed to protect the Department of Defense and its intellectual property by securing its supply chain, including ensuring that contractors working with the DoD have the proper level of security according to the type of data they need access to.

Full compliance with CMMC involves following strict controls outlined in NIST SP 800-171 Rev. 2 and NIST SP 800-172. These standards hold contractors to the task of implementing security measures that include limiting system access, protecting devices, implementing encryptions, monitoring and protecting company communications, and a host of other controls that, together, create a multi-layered, comprehensive security net designed to block ransomware and other cyber attacks.

Failing to reach these standards as a DoD contractor means that you won’t be eligible for government contracts—but even more importantly, if your security is lacking and you’re hit by a ransomware attack, your entire business could be compromised.

In 2020, the average remediation cost after a ransomware attack was $1.85 million—an expense that many businesses are unable to weather. 

The Power of Proactivity

Don’t wait for federal or industry regulations to order you to increase your security. Being proactive in updating your cybersecurity will provide long-term security benefits and give you a leg up as CMMC requirements are finalized and implemented.

Finally, here’s a word of caution: Don’t assume that your IT provider is already protecting against this threat unless you’ve specifically discussed it with them. Lots of people think their MSP is already covering their ransomware protection, but the truth is, your provider may not take action until they’ve seen the consequences after you’ve already fallen prey to an attack. Make sure you’ve discussed this service specifically so you understand exactly what’s being taken care of and what’s not.

Ransomware Prevention from SysArc

As we get closer to CMMC implementation, it’s important to remember that the reasons for CMMC aren’t just to protect the government’s data, it’s to protect your business and its assets as well.

Ransomware is a serious threat to all types of businesses, so even for contractors and businesses not associated with the government at all, securing systems against ransomware should be a priority. CMMC just provides a detailed framework for you to follow to achieve this level of security, giving you peace of mind.

SysArc is dedicated to protecting businesses and organizations from cyber threats including ransomware through implementation of the strongest available cybersecurity measures, including CMMC for DoD contractors. Get in touch today to learn how we can protect your business from cyber threats.

Filed Under: CMMC, Cyber Security

Now Is the Time for DoD Contractors to Focus on NIST 800-171

October 4, 2021 by SysArc

implementing NIST 800-171 in server room As CMMC continues to be reviewed internally by the DoD, NIST 800-171 is more important than ever. In this article, we’ll talk about the vital role NIST 800-171 plays in CMMC, and why it’s so important for DoD contractors right now.

The Delay of CMMC

The rollout of the Cybersecurity Maturity Model Certification framework was always expected to take several years, but now as it faces setbacks including significant changes in leadership,  small businesses voicing cost concerns, and a low number of accredited third-party assessors, it looks like full implementation may come later than expected.

However, the DoD is still concerned with fully protecting CUI right now, even before CMMC becomes a requirement. It can’t afford to leave vulnerabilities open while CMMC gets ironed out and implemented. That’s where NIST 800-171 comes into play.

NIST 800-171

While CMMC is still pre-implementation, NIST 800-171 remains an enforceable standard that contractors working with the Department of Defense must comply with. In fact, last year’s DFARS Interim Rule was set up specifically so that the DoD could enforce NIST while going through the transition to CMMC. Other government agencies are now also requiring compliance with NIST standards to different degrees.

Competitive Advantage of DFARS 7019 and 7020

Making sure you have your cybersecurity compliance program in place right now improves your competitive advantage because you’ll be eligible for contracts during the transition to CMMC. DFARS 7019 & 7020 is still currently enforceable and potentially auditable by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Current Focus for DoD Contractor Security

Even though the CMMC rollout may be going more slowly than anticipated, now is not the time to be sitting still. Currently, DoD contractors wanting to be in a competitive position for contracts should be taking the following action when it comes to their security and compliance:

  • Perform a Readiness Assessment: A NIST 800-171 assessment performed by experienced cybersecurity professionals will deliver a gap analysis, an SPRS score, a System Security Plan (SSP), and a POA&M to show you the steps you need to take to become compliant with NIST 800-171 and reach all of the current DOD contract security requirements.
  • Get your SPRS score in: Reporting your self-assessment score to the Supplier Performance Risk System has been required since November 30, 2020. If you haven’t yet reported your score or completed remediation for any points missed, now is the time to do so.
  • Do the work for CMMC to gain maturity before the audit process: The first “M” in CMMC stands for Maturity—that means proving that your security systems have been compliant long enough to have matured. This could take six months to a year to gain maturity, and by then you may have to go through the audit process. You need to get your systems as compliant as possible now so that by the time CMMC contracts are available, you’ve demonstrated your established security systems over a period of time.

Work with SysArc

SysArc is a specialized IT provider that helps DoD contractors prepare for CMMC, comply with NIST 800-171, and navigate all federal security requirements and regulations along the way. To stay up to date with evolving compliance regulations and be fully prepared for the implementation of CMMC, contact SysArc today for a free consultation and a NIST 800-171 assessment.

Filed Under: CMMC, Cyber Security

What Contractors Can Learn from the DoD’s CMMC Guidance for Project Managers

April 14, 2021 by SysArc

With the accelerating announcements of the CMMC rollout last year and the subsequent updates that the DoD has released, there has been an industry-wide push to get cybersecurity fully implemented as contractors prepare to become CMMC certified.

For contractors anxious to know how CMMC will affect the process of awarding contracts, one announcement worth paying attention to is the DoD’s recently released guidance for program managers in charge of choosing contractors.

DoD Instruction 5000.90, or “Cybersecurity for Acquisition Decision Authorities and Program Managers,” provides specific instructions for PMs’ responsibilities regarding cybersecurity and what they should expect from vendors. Here are several main takeaways that DoD contractors should take note of from this CMMC guidance for project managers.

The DoD Is Taking CMMC Security Seriously as a Factor in Awarding Contracts

Although many contractors have built up industry relationships, even trusted partners can no longer award contracts solely on reputation or goodwill; project managers (PMs) are instructed specifically to pay attention to cybersecurity when examining vendors for contract eligibility.

In fact, they are given responsibility for ensuring that cybersecurity requirements are considered and included, meaning that PMs can and will likely be held responsible if security isn’t found to be up to par—giving the PMs higher incentive to ensure all cybersecurity requirements are followed.

The DoD has made it clear that they won’t do business with organizations that are falling behind these new requirements. This is why you can’t just check off the boxes. Cybersecurity is now a foundational requirement that must be met before an organization becomes eligible for new contracts.

What Are Project Managers Looking For in Terms of Security When Awarding DoD Contracts?

CMMC’s requirements are many, and they include completing a 110-step self assessment and POA&M, reporting your score to the SPRS, fully implementing your POA&M, and establishing cybersecurity maturity by maintaining the necessary level of security before being awarded a contract.

Here are just a few of the points that project managers are instructed to pay attention to when judging whether a contractor has met the necessary cybersecurity requirements:

  • Protections against known and anticipated threats, as well as potential future vulnerabilities
  • Continuous cyber threat analysis
  • All aspects of security programs include operational cybersecurity and supply chain resilience
  • Periodic threat-representative adversarial assessments to assess the ability of the cyber technologies in the materiel solution to complete missions in a cyber-contested environment.
  • Continuously enforced security through the risk management framework (RMF) and supply chain risk management (SCRM) systems

These indicators represent just a part of the extensive instruction and CMMC guidance given for project managers to account for during acquisition. To ensure you fully meet the expectations of the DoD, you’ll need to ensure you meet all CMMC requirements and show established maturity in implementing the required measures, including those given above.

CMMC Cybersecurity Categories and Related DFARS Resources

One section of the DOD Cyber Guidance report that may be especially relevant and useful for contractors is the table summarizing CMMC categories and their correlating instructions from DFARS resources.

In this chart, you can find a summary of essential rules with cybersecurity pillars on the left, and DoD instructional resources relating to each standard on the right:

From DoD Instruction 5000.90, Section 4

No Time to Waste in CMMC Preparation

This instruction to DoD project managers reinforces the idea that you not only need to be CMMC certified, but you also need to prove you’re continually meeting the s

tandards, even after your POA&M is implemented. That comes through maturity—the longer you’re established as an accredited CMMC contractor, the more credibility you’ll gain.

That’s why it’s vital to implement your POA&M as soon as possible instead of waiting until the last possible moment, so that you have months or years of having a successfully run cybersecurity program under your belt to prove you will be an asset to work with based on not only your services, but also your security.

Prepare for CMMC Certification with SysArc

Since 2017, we’ve helped over 150 contractors tackle DFARS, CMMC, the Interim Rule, and other updates and requirements in the world of constantly evolving cybersecurity for government contractors. We’re more than ready to help you with your CMMC readiness assessment, remediation, and gaining the maturity needed to be competitive in the industry.

Filed Under: CMMC

What’s New with CMMC in 2021: A Focus on Maturity

April 12, 2021 by SysArc

Last year brought major changes to the Department of Defense’s cybersecurity requirements for contractors. From the announcement of the CMMC-AB formation in January to the implementation of the Interim Rule in November, 2020 saw a host of announcements that led to rapid adjustments on the part of contractors to remain compliant and eligible for DoD contracts.

CMMC maturity

As the CMMC certification and auditing process is continually rolled out, contractors must remain flexible and ready to continue improving their security. But assuming that you’re up to date with the Interim Rule requirements, what comes next in your CMMC journey?

The big push for this year is a focus on maturity—the first “M” in the Cybersecurity Maturity Model Certification—as well as remediation. Taking the steps to self certify and create a POA&M are an essential start, but there’s still more to go before you’re ready for certification. Here’s a recap of what you should have completed over the past year and a look forward at what to focus on next for your CMMC implementation in 2021.

2020 in Review: CMMC Changes

The new CMMC framework was announced in January of last year, with several significant changes announced throughout the following months. Notably, the CMMC-AB was created to oversee the accreditation process, and the DFARS Interim Rule was announced and enacted.

Here are some of the main DFARS clauses and standards that give the big picture of last year’s transitions:

DFARS 7012

DFARS 7012 is the original rule requiring contractors to complete a self-assessment of NIST 800-171 to safeguard Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). However, this rule was not widely effective due to limited enforcement. Last year’s Interim Rule built on this original standard to update the assessment process and the enforcement of the new requirements.

DFARS Interim Rule

DFARS 7019

This clause, introduced as part of the DFARS Interim Rule, stipulates that before a new award of a contract or subcontract that contains the DFARS 7012/7019 clause, a contractor must submit a NIST 800-171 Assessment score to the Supplier Performance Risk System (SPRS) using the latest DoD Assessment Methodology—the new scoring method building on the 110 security requirements specified in NIST SP 800-171.

DFARS 7020

DFARS 7020 outlines the ability of the DoD to request an ad hoc Medium- or High-level audit to verify the score submitted by the contractor to the SPRS. The contractor needs to provide an SSP and POA&M for the DoD to review and be able to show evidence of how they are satisfying the requirements.

DFARS 7021

This clause provides official notice and details around the rollout of CMMC. It requires contractors to maintain a current certification, not older than 3 years old, and commit to maintaining security throughout that period. It also requires contractors to include a CMMC clause in subcontracts and verify that subcontractors also hold the appropriate CMMC certifications.

Many organizations have gotten this far already and taken the steps of completing a self-assessment and creating a POA&M. But that’s still far from the “finish line” of being certified as cyber secure and CMMC compliant. So now, what’s next?

CMMC in 2021: Focus on Maturity and Remediation

This year is quickly becoming the year of remediation. Once you’ve identified the gaps in your security and reported your plan to fill them, you should be working on completing your POA&M by implementing cybersecurity protections, writing the necessary policies to enable and enforce security, and establishing maturity.

CMMC Maturity

A core aspect of CMMC maturity is having your security program in place for a length of time before you apply for certification. Maturity is gained the longer you have your comprehensive cybersecurity program successfully in place. The more time that has passed since you fully implemented your cybersecurity plan, the more credibility and maturity you’ll have as a secure provider.

Some involved in the rollout of CMMC have stated that it will likely take six to nine months to fully implement a POA&M and achieve full compliance; however, the project managers awarding contracts will want to see time spent with that plan in place and cybersecurity still being upheld, potentially stretching your total timeline closer to 9-12 months.

What that means for contractors is that there’s no time to waste; the sooner you can fully implement your POA&M, the more maturity you’ll have, and the better position you’ll be in.

Steps & Timeline for CMMC in 2021 Moving Forward

CMMC Readiness Assessment

This is the low-cost first step to comply with Interim Rule. You’ve likely already completed this step—but if not, now is the time to get it done. Deliverables include your accurate assessment score for SPRS, SSP/POA&M, and recommendations for remediation to implement your POA&M.

Remediation & Maturity in 2021

Use 2021 to complete your POA&M and gain maturity by having your cybersecurity program in place and running well before you’re audited. It’s important to get your program fully deployed as soon as possible to gain maturity. Your organization may even have been asked to give a date by which you’ll fully implement your POA&M and achieve a perfect score; but even in cases without specific deadlines, you should be acting with urgency to put protections in place.

CMMC Audits: Late 2021 Through 2025

CMMC audits will increase as the DoD rolls out new programs and contracts with CMMC requirements. You may be required to undergo an audit as your current contract comes up for recompete if it includes CMMC requirements.

CMMC Audit Preparation & Assessment Services

SysArc helps DoD contractors throughout the US navigate CMMC, from initial readiness assessments to ongoing cybersecurity guidance. We offer a full CMMC solution, customized to your needs, and work closely with our clients to help them understand CMMC to remain competitive in the industry.

We’ve also been awarded the status of a Registered Provider Organization (RPO) and C3PAO from the CMMC Accreditation Board, meaning we’re committed to having trained experts to assist with all aspects of the CMMC process.

For more information on how to prepare for CMMC, see our CMMC Complete Preparation Guide. If you need a consultant to walk you through the process, see our CMMC compliance services. If you’d like to speak with someone about preparing for a CMMC audit now, feel free to give us a call at (240) 453-4146 or schedule a CMMC consultation. There’s never a better day than today to start taking the next step toward security and maturity.

Filed Under: CMMC

DFARS Interim Rule – 5 Key Takeaways to Be Aware of Now

October 16, 2020 by SysArc

DFARS Interim Rule Cover

Download the Official DFARS Interim Rule Document from the Federal Register

On September 29, the Defense Acquisitions Regulation System released a new Interim Rule to supplement current DFARS regulations.

While the Department of Defense is working to get the CMMC program completed in record time, the process is taking longer than anticipated, and CMMC is now slated to be rolled out over a five-year period. But over the past few years, the current method of self-assessment used in DFARS standards has proved insufficient as the DoD supply chain continues to be subjected to cyber attacks, leading to the necessity of more immediate improvements to security.

The purpose of this Interim Rule is to increase DoD contractor security in existing DFARS 7012 requirements while the process of CMMC implementation is still in development. It will ensure that DFARS requirements are being followed by creating a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework.

This rule enacts new requirements, such as a self-scoring methodology and reporting, as well as the announcement of increased audits at Basic, Medium, and High levels of scrutiny.

5 Key Takeaways to Be Aware of Now

Although there are many takeaways in the new interim rule, we identified the following five items that we think will affect many contractors right away:

  1. This new requirement takes effect on December 1, 2020 for all contractors that are subject to the DFARS 252.204-7012 clause based on their handling of Controlled Unclassified Information (CUI)
  2. Contractors that handle CUI will need to complete a new NIST 800-171 Self-Assessment based on a new scoring methodology and then post their score in the Supplier Performance Risk System (SPRS) before a contract will be awarded
  3. The Self-Assessment must also include the completion of a System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of their network and their plan to achieve 100% compliance with the NIST 800-171 requirements
  4. Prime Contractors must flow this requirement down to their subcontractors/suppliers that handle CUI as well.
  5. DCMA will be conducting random audits to ensure companies have not only completed the self-assessment, but have scored themselves accurately, have an SSP and are working towards completing a realistic POAM.

New Interim Rule Self-Assessment Scoring and Reporting

DoD contractors who handle controlled unclassified information (CUI) are very familiar with the NIST SP 800-171 security requirements, which require contractors to self-assess their cybersecurity preparedness.

The NIST SP 800-171 DoD Assessment Scoring Methodology detailed in the Interim Rule will help contractors grade themselves with a standardized score that reflects the NIST SP 800-171 security requirements they do not yet have in place.

How NIST SP 800-171 DoD Assessment Methodology Scoring Works

In order to strategically assess a Contractor’s Implementation of NIST SP 800-171

  • The NIST SP 800-171 DoD Assessment Methodology enables DoD to strategically assess a contractor’s implementation of NIST SP 800-171 on existing contracts which include DFARS clause 252.204-7012, and to provide DoD Components with visibility to the summary level scores of strategic assessments completed by DoD, thus providing an alternative to the contract-by-contract approach.
  • The NIST SP 800-171 DoD Assessment consists of three levels of assessments (see Section 4 of this document). These three types of assessments reflect the depth of the assessment, and the associated level of confidence in the assessment results.
  • Assessment of contractors with contracts containing DFARS clause 252.204-7012 is anticipated to be once every three years unless other factors, such as program criticality/risk or a security-relevant change, drive the need for a different assessment frequency.

SPRS Reporting

To submit your basic assessment to SPRS, you must fill out:

  • Your system security plan name
  • The CAGE code associated with the plan
  • A brief description of the plan architecture
  • The date the assessment was completed
  • Your total score
  • The date that a score of 110 will be achieved

Increased Audits

To ensure the legitimacy of reported results, increased, random audits will be conducted. These check-ups will evaluate companies’ compliance with NIST and the accuracy of their self-assessment score posted on SPRS.

Contractors will receive one of three assessment levels—Basic, Medium, or High—depending on the depth of the assessment and the level to which the contractor has implemented the security measures outlined.

What the Interim Rule Means for DoD Contractors

Get an Assessment Immediately

Even if you’ve had an assessment recently, you probably need to update that assessment to incorporate the new scoring methodology. And this needs to happen quickly, as starting December 1, this will be required for all contractors with a 252.204-7012 clause in their agreement.

In the long term, contractors handling CUI will need to achieve CMMC Level 3 compliance and fulfilling the requirements around  this Interim Rule will put you in a great position to be CMMC Level 3 ready.

DFARS 252.204-7012 Isn’t Going Away

DFARS 7012 was created three years ago in order to better protect the DoD supply chain. CMMC has become the new focus as companies prepare to meet the new standards, but the announcement of the Interim Rule emphasizes that CMMC is building on the foundation of DFARS 7012 and acting as the enforcement mechanism for the cybersecurity standards already in place.

Think of CMMC as a continuation of DFARS, and the Interim Rule as a procedure that helps bridge the gap between the two while CMMC is still being enacted.

Receive a Scored Assessment Now

SysArc has helped over 1,000 DoD contractors understand the requirements of DFARS 7012 and NIST SP 800-171 and take necessary steps toward compliance. We help DoD contractors properly protect the confidentiality of CUI in order to remain in compliance with regulations and eligible for DoD contracts.

We can help you navigate the requirements of the Interim Rule and other updates as CMMC is rolled out and worked into existing DFARS requirements.

Immediate action is required to get prepared for the December 1 deadline and remain eligible for contracts. Contact us today to receive a scored assessment and guidance through the process of complying with DFARS, the Interim Rule, and future developments in CMMC and DFARS.

Filed Under: CMMC

« Previous Page

CMMC/DFARS Compliance Solution for Primes & Subcontractors

We’ve helped over 500 DoD Prime & Subcontractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC.

Large Prime Contractor Solutions:

  • - Supply Chain Risk Assessments
  • - Business Unit Readiness Assessment
  • - Cyber Compliance Remediation Services

SMB Supplier Solutions:

  • - CMMC Readiness Assessments
  • - Remediation Services
  • - Cyber Compliance as a Service

To speak with our team about your company’s needs or the needs of your suppliers, give us a call or request a consultation online now:

(866) 583-6946
or fill out the form below:

  • This field is for validation purposes and should be left unchanged.

Services

  • Managed Cyber Security
  • IT Risk Management & Compliance
  • Cybersecurity Maturity Model Certification (CMMC) Assessment & Preparation
  • NIST SP 800-171 / DFARS Compliance Solutions for DoD Contractors
  • Managed IT Support
  • Managed Cloud
  • Backup & Disaster Recovery
  • VoIP

12300 Twinbrook Pkwy
Suite 500
Rockville, MD 20852

Sales: 800-481-1984

Customer Support: 800-699-0925 ext. 1

Quick Contact

Contact Us

CMMC RPO Badge

Navigation

  • Home
  • Services
  • Who We Are
  • Help Desk
  • Blog
  • Case Studies
  • Free Consultation
  • Careers
  • Contact Us

Follow Us

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Latest Tweets

Tweets by @https://twitter.com/sysarcinc

Latest Posts

Do DoD Contractors Need Microsoft GCC/GCC High for DFARS, CMMC or ITAR?

What’s the Difference Between Microsoft 365 GCC and GCC High?

What is Microsoft GCC & GCC High? A Guide for DoD Contractors

SysArc Sponsoring & Exhibiting at The National Cyber Summit 2022

Why CMMC Compliance Is About More Than Just Protecting National Security

Pentagon Official Offers Insights into CMMC Timeline & Rollout

SysArc © 2023. All Rights Reserved. Powered by Lemonade Stand. | Privacy Policy

Are Your Resources Constrained Prepping for NIST 800-171 and CMMC?

SysArc can reduce the burden on your compliance team by outsourcing some of the steps to our team of experts.


Large and Mid-Size DoD Primes are working with SysArc experts on:

  • • Readiness Assessments
  • • SSP Creation
  • • POAM Remediation
  • • Program Oversight & Management
  • • Policies and Procedures Development
  • • GCC High Migrations
  • • Post M&A Integrations
  • • Network Hardening
  • • MFA Implementation and more

 

As a CMMC RPO with years of experience in DoD supply chain risk management, SysArc is able to solve some of the more challenging compliance problems.

Get Started Now:

Call: (866) 583-6946 Schedule a CMMC/DFARS Consultation