Last year brought major changes to the Department of Defense’s cybersecurity requirements for contractors. From the announcement of the CMMC-AB formation in January to the implementation of the Interim Rule in November, 2020 saw a host of announcements that led to rapid adjustments on the part of contractors to remain compliant and eligible for DoD contracts.
As the CMMC certification and auditing process is continually rolled out, contractors must remain flexible and ready to continue improving their security. But assuming that you’re up to date with the Interim Rule requirements, what comes next in your CMMC journey?
The big push for this year is a focus on maturity—the first “M” in the Cybersecurity Maturity Model Certification—as well as remediation. Taking the steps to self certify and create a POA&M are an essential start, but there’s still more to go before you’re ready for certification. Here’s a recap of what you should have completed over the past year and a look forward at what to focus on next for your CMMC implementation in 2021.
2020 in Review: CMMC Changes
The new CMMC framework was announced in January of last year, with several significant changes announced throughout the following months. Notably, the CMMC-AB was created to oversee the accreditation process, and the DFARS Interim Rule was announced and enacted.
Here are some of the main DFARS clauses and standards that give the big picture of last year’s transitions:
DFARS 7012 is the original rule requiring contractors to complete a self-assessment of NIST 800-171 to safeguard Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). However, this rule was not widely effective due to limited enforcement. Last year’s Interim Rule built on this original standard to update the assessment process and the enforcement of the new requirements.
DFARS Interim Rule
This clause, introduced as part of the DFARS Interim Rule, stipulates that before a new award of a contract or subcontract that contains the DFARS 7012/7019 clause, a contractor must submit a NIST 800-171 Assessment score to the Supplier Performance Risk System (SPRS) using the latest DoD Assessment Methodology—the new scoring method building on the 110 security requirements specified in NIST SP 800-171.
DFARS 7020 outlines the ability of the DoD to request an ad hoc Medium- or High-level audit to verify the score submitted by the contractor to the SPRS. The contractor needs to provide an SSP and POA&M for the DoD to review and be able to show evidence of how they are satisfying the requirements.
This clause provides official notice and details around the rollout of CMMC. It requires contractors to maintain a current certification, not older than 3 years old, and commit to maintaining security throughout that period. It also requires contractors to include a CMMC clause in subcontracts and verify that subcontractors also hold the appropriate CMMC certifications.
Many organizations have gotten this far already and taken the steps of completing a self-assessment and creating a POA&M. But that’s still far from the “finish line” of being certified as cyber secure and CMMC compliant. So now, what’s next?
CMMC in 2021: Focus on Maturity and Remediation
This year is quickly becoming the year of remediation. Once you’ve identified the gaps in your security and reported your plan to fill them, you should be working on completing your POA&M by implementing cybersecurity protections, writing the necessary policies to enable and enforce security, and establishing maturity.
A core aspect of CMMC maturity is having your security program in place for a length of time before you apply for certification. Maturity is gained the longer you have your comprehensive cybersecurity program successfully in place. The more time that has passed since you fully implemented your cybersecurity plan, the more credibility and maturity you’ll have as a secure provider.
Some involved in the rollout of CMMC have stated that it will likely take six to nine months to fully implement a POA&M and achieve full compliance; however, the project managers awarding contracts will want to see time spent with that plan in place and cybersecurity still being upheld, potentially stretching your total timeline closer to 9-12 months.
What that means for contractors is that there’s no time to waste; the sooner you can fully implement your POA&M, the more maturity you’ll have, and the better position you’ll be in.
Steps & Timeline for CMMC in 2021 Moving Forward
CMMC Readiness Assessment
This is the low-cost first step to comply with Interim Rule. You’ve likely already completed this step—but if not, now is the time to get it done. Deliverables include your accurate assessment score for SPRS, SSP/POA&M, and recommendations for remediation to implement your POA&M.
Remediation & Maturity in 2021
Use 2021 to complete your POA&M and gain maturity by having your cybersecurity program in place and running well before you’re audited. It’s important to get your program fully deployed as soon as possible to gain maturity. Your organization may even have been asked to give a date by which you’ll fully implement your POA&M and achieve a perfect score; but even in cases without specific deadlines, you should be acting with urgency to put protections in place.
CMMC Audits: Late 2021 Through 2025
CMMC audits will increase as the DoD rolls out new programs and contracts with CMMC requirements. You may be required to undergo an audit as your current contract comes up for recompete if it includes CMMC requirements.
CMMC Audit Preparation & Assessment Services
SysArc helps DoD contractors throughout the US navigate CMMC, from initial readiness assessments to ongoing cybersecurity guidance. We offer a full CMMC solution, customized to your needs, and work closely with our clients to help them understand CMMC to remain competitive in the industry.
We’ve also been awarded the status of a Registered Provider Organization (RPO) and C3PAO from the CMMC Accreditation Board, meaning we’re committed to having trained experts to assist with all aspects of the CMMC process.
For more information on how to prepare for CMMC, see our CMMC Complete Preparation Guide. If you need a consultant to walk you through the process, see our CMMC compliance services. If you’d like to speak with someone about preparing for a CMMC audit now, feel free to give us a call at (240) 453-4146 or schedule a CMMC consultation. There’s never a better day than today to start taking the next step toward security and maturity.