DFARs Implementing CMMC Requirements
In September, the Department of Defense (DoD) announced a new interim rule that offers some clarity about what is required of contractors as part of the phased roll-out of the Cybersecurity Maturity Model Certification (CMMC)—a verification and validation process with a set of cybersecurity requirements.
The new rule, which goes into effect on November 30, 2020, is the first step in enforcing CMMC compliance before the requirements are fully implemented in October 2025.
The rule includes two new clauses. The first, Defense Federal Acquisition Regulation Supplement (DFARs) clause 252.204–7020, states that contractors must use the NIST SP 800-171 DoD Assessment Methodology to complete a Basic Assessment in order to conduct any contract actions on or after November 30. The second, DFARs clause 252.204–7019, requires that all contractors have a current (not older than three years) assessment on record in the Supplier Performance Risk System (SPRS) for all covered contractor information systems that are relevant to the offer.
Enforcement of these clauses ensures that contractors have done their due diligence in safeguarding their documents, assets, information, and networks before they bid on contracts. While many companies claimed to be cyber secure before this rule, without a standard methodology for self-assessing cybersecurity or a requirement for having an assessment on record, these claims weren’t always validated. And with billions of dollars having been lost in intellectual property theft from defense contractors over the past few years, it’s clear that having a stricter standard for cybersecurity verification is necessary.
Under the new rule, contractors will self-assess their cybersecurity infrastructure using a grading score provided by the NIST SP 800-171 DoD Assessment Methodology. This self-assessment measures how compliant the company is using a scoring system, with a score of 110 meaning that the company has fully implemented all 110 NIST SP 800–171 security requirements. Within 30 days of undergoing the assessment, companies must submit their results to SPRS. After a contract is awarded, the DoD might request an additional Medium Assessment or High Assessment, which requires a more advanced audit of the contractor’s system security plan.
When will CMMC requirements be enforced by DFARs?
The CMMC requirements will be fully adopted and enforced by DFARs officially on October 1, 2025. In the meantime, the interim rule prepares contractors for compliance by requiring them to have a current cybersecurity assessment on record before they bid on DoD contracts.
What are the risks of not being compliant with CMMC in time?
Once CMMC is fully implemented on October 1, 2025, DoD contracting officers cannot award or exercise an option on a contract that doesn’t have a current (less than three years old) certification for the appropriate CMMC level. But even as early as January 2021, some contracts will require CMMC certification. That means that if you have a contract that gets designated with a CMMC level starting in January, you run the risk of not being able to bid if you are not compliant with CMMC.
An additional effect of not complying with CMMC is that you could inadvertently be putting our country at risk, physically and economically. CMMC is designed to expose and fix weak security areas and prevent security breaches within the Defense Industrial Base (DIB). Making compliance a priority is the best way to protect your most valuable digital assets as well as our nation’s.
Becoming compliant is no small task, however. While select cybersecurity tools and compliance services can offer some security and compliance, they rarely offer complete security protection, and they often end up getting in the way of business operations. Hyper Vigilance offers an alternative to operating completely via a highly secure and pre-configured cloud-based platform designed to meet CMMC level 3 requirements and to accelerate your compliance journey . Our Guardnet compliance service is a turnkey virtual platform that works as an end to end compliance solution that gets your business secure without sacrificing productivity. Learn more about Guardnet here.
How can I get started with becoming CMMC compliant?
The best way to start your company’s path towards CMMC compliance is to do an internal audit of your cyberinfrastructure using the general outline of CMMC compliance regulations. This will give you a good starting point for where your company will need to devote its cybersecurity efforts. From there, it’s important to understand what the cost and timeline will be for acting on the gaps identified during your internal audit.
Oftentimes, the solutions and services needed to become and stay compliant are more than a small business can handle, making off-loading the bulk of the work to third-parties a more cost-effective option. Here at Hyper Vigilance, we’re committed to taking this work off your shoulders. Our compliance management services include everything you need to prepare for an official audit, including compliance risk assessment, documentation, reporting, and monitoring.
Start Your Compliance Journey with Hyper Vigilance
With CMMC on its way to becoming the law, it’s best to get ahead of the curve by starting your compliance journey today. At Hyper Vigilance, our goal is to make getting compliant as simple and accessible as possible, which is why we offer a straightforward pricing model for our full-service compliance management services and offerings. Contact us today to get secure, fast.