As one of our industry’s leading CMMC consultants, Abel Solutions keeps our clients and readership updated on the most recent developments with the Cybersecurity Maturity Model Certification.

Here is the latest news as of January 2022.

The CMMC Interim DFARS Rule

In January 2020, the Cybersecurity Maturity Model Certification (CMMC) was officially made part of the Defense Federal Acquisition Regulation Supplement (DFARS).

Affecting over 300,000 members of the defense industrial base (DIB)—primarily small and midsize businesses (SMBs)—the CMMC caused quite the stir for DIB members regarding its implications for existing and future government contracts.

On November 30, 2020 the Interim DFARS Rule (DFARS Case 2019-D041) was announced and added yet another layer of complexity to the CMMC. The Interim DFARS Rule mandates that, in order to qualify for new defense contracts and renewals of existing contracts, all defense contractors must perform self-assessments of their cybersecurity using the NIST CSF (SP) 800-171 DoD Assessment Methodology.

The CMMC was then updated to CMMC 2.0 in November of 2021.

Amid all the confusion and scrutiny surrounding CMMC’s evolution, it’s best to first address how the Interim DFARS Rule impacts your organization as a member of the DIB.

In this short blog, you’ll learn

  • how the Interim DFARS Rule changed the CMMC
  • what the Interim DFARS Rule mandates contractors to do
  • what your next immediate step should be with this latest mandate by the Department of Defense (DoD).

How Has the Interim DFARS Rule Changed CMMC?

  • The Department of Defense has once again stressed the need for DoD contractors to observe the 110 cybersecurity controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171
  • Prior to the creation of CMMC, DFARS only mandated most defense contractors to affirm that they observed all the controls specified by 800-171
  • Because of a growing trend of controlled, unclassified information (CUI) being leaked, the DoD decided to reign in non-compliant contractors via the Interim DFARS Rule
  • The Interim DFARS Rule requires contractors to complete self-assessments and officially score their 800-171 compliance status according to a scoring system developed by the DoD
  • The self-assessment score must be uploaded to a federal database – the Supplier Performance Risk System (SPRS) — for the contractor to be eligible for new contracts and renewals
  • The deadline to conduct a self-assessment and upload it to the SPRS database was November 30, 2020 if you intend to accept any DoD-related contracts that include the flow down of contract clause DFARS 252.204-7012 issued after December 1, 2020.

Now that we’ve outlined the urgency with which you should approach complying with the Interim DFARS Rule, let’s dive into how the self-assessment works.

CMMC Self-Assessment and the Scoring Matrix

During the CMMC self-assessment, contractors are expected to rate themselves based on the implementation of each of the 110 cybersecurity controls outlined in 800-171.

All DoD contractors are mandated by the CMMC to conduct these self-assessments once every three years unless any event requires a change in the interim.

Contractors are already subject to random DoD and prime contractor audits, so it’s vital to maintain the 800-171 cybersecurity controls and have recent documentation validating security and compliance.

Every self-assessment begins with a perfect score of 110, a single point accounting for each of the 800-171 controls. Points are then subtracted for each instance of non-implementation of controls. Each control holds a weighted point value ranging from 1 to 5 based on its security significance.

Partially implemented controls receive zero credit, except for multi-factor authentication and FIPS-validated encryption. Although NIST doesn’t officially prioritize security requirements, it asserts that some controls maintain a higher impact on a network’s security.

Here are four things you must remember regarding your CMMC self-assessment:

Get A Perfect CMMC Score—or Create a Plan of Action To Get One

If you do not achieve a perfect score of 110 points, you must create a Plan of Action and Milestones (POA&M) document detailing how each deficiency will be remediated. Once each deficiency is successfully addressed, you can update your self-assessment score.

Develop A System Security Plan (SSP)

As a DoD contractor, you must also develop a System Security Plan (SSP) outlining how 800-171 controls have been implemented through operational procedures, organizational policies and technical components.

Make SSPs & POA&Ms Available for Audit

While SSPs and POA&Ms are not required to be uploaded to the federal database, they must still be available for audit.

Submit CMMC Self-Assessment Score within 30 Days

Once you’ve completed your self-assessment, you must upload your score to the governmental SPRS database within 30 days of the assessment.

Get assessment-ready now!

To continue to qualify for new DoD contracts and renewals while CMMC is still being rolled out, you must prepare your organization to conduct a thorough and accurate CMMC self-assessment. Complying with the Interim DFARS Rule now will help you remain prepared for every future evolution of the CMMC.

Navigating through the complexities of CMMC can be frustrating and overwhelming. That’s why having an experienced partner to guide you through every step of assuring and maintaining compliance is paramount.

Schedule a free CMMC consultation below to learn more about our CMMC consulting services.

Talk To A CMMC Consultant

Schedule a free consultation with one of our CMMC experts today.