As CMMC continues to be reviewed internally by the DoD, NIST 800-171 is more important than ever. In this article, we’ll talk about the vital role NIST 800-171 plays in CMMC, and why it’s so important for DoD contractors right now.
The Delay of CMMC
The rollout of the Cybersecurity Maturity Model Certification framework was always expected to take several years, but now as it faces setbacks including significant changes in leadership, small businesses voicing cost concerns, and a low number of accredited third-party assessors, it looks like full implementation may come later than expected.
However, the DoD is still concerned with fully protecting CUI right now, even before CMMC becomes a requirement. It can’t afford to leave vulnerabilities open while CMMC gets ironed out and implemented. That’s where NIST 800-171 comes into play.
While CMMC is still pre-implementation, NIST 800-171 remains an enforceable standard that contractors working with the Department of Defense must comply with. In fact, last year’s DFARS Interim Rule was set up specifically so that the DoD could enforce NIST while going through the transition to CMMC. Other government agencies are now also requiring compliance with NIST standards to different degrees.
Competitive Advantage of DFARS 7019 and 7020
Making sure you have your cybersecurity compliance program in place right now improves your competitive advantage because you’ll be eligible for contracts during the transition to CMMC. DFARS 7019 & 7020 is still currently enforceable and potentially auditable by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Current Focus for DoD Contractor Security
Even though the CMMC rollout may be going more slowly than anticipated, now is not the time to be sitting still. Currently, DoD contractors wanting to be in a competitive position for contracts should be taking the following action when it comes to their security and compliance:
- Perform a Readiness Assessment: A NIST 800-171 assessment performed by experienced cybersecurity professionals will deliver a gap analysis, an SPRS score, a System Security Plan (SSP), and a POA&M to show you the steps you need to take to become compliant with NIST 800-171 and reach all of the current DOD contract security requirements.
- Get your SPRS score in: Reporting your self-assessment score to the Supplier Performance Risk System has been required since November 30, 2020. If you haven’t yet reported your score or completed remediation for any points missed, now is the time to do so.
- Do the work for CMMC to gain maturity before the audit process: The first “M” in CMMC stands for Maturity—that means proving that your security systems have been compliant long enough to have matured. This could take six months to a year to gain maturity, and by then you may have to go through the audit process. You need to get your systems as compliant as possible now so that by the time CMMC contracts are available, you’ve demonstrated your established security systems over a period of time.
Work with SysArc
SysArc is a specialized IT provider that helps DoD contractors prepare for CMMC, comply with NIST 800-171, and navigate all federal security requirements and regulations along the way. To stay up to date with evolving compliance regulations and be fully prepared for the implementation of CMMC, contact SysArc today for a free consultation and a NIST 800-171 assessment.