NIST 800-171 Compliance & CMMC Interim Rule
Why the New Changes?
The continual theft of intellectual property and sensitive information via the supply chain of the Department of Defense (DoD) has become a major threat to U.S. economic and national security.
To secure all classified data, the DoD has created the Cybersecurity Maturity Model Certification (CMMC) to ensure that all contractors (including prime and subcontractors) are practicing and maintaining the best cybersecurity practices. The days of self-assessments without third-party verification have come to an end.
Need Help with NIST or CMMC?
At Encompass IT Solutions, we are helping DoD contractors throughout Connecticut and Massachusetts with their NIST 800-171 DoD Self-Assessment Score Reports, their System Security Plan (SSP), their Plan of Action & Milestones (PoA&M), and Supplier Performance Risk System (SPRS) submittals. As a result, these prime and subcontractors are eligible to bid and win DoD contracts with their perfect score of 110/110 controls, as defined by the NIST 800-171 requirements. We have a team of cybersecurity experts with a wealth of knowledge regarding NIST 800-171 and the upcoming CMMC regulations, and we'd love to be a resource for you.
The Solution
Effectively preparing for CMMC is a relatively straightforward process, since the DoD has made NIST 800-171 the main foundation for the CMMC certification.
If your DoD contract's fine print contains the DFARS 252.204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting" clause, you will need to take action now to be able to bid on or accept DoD contracts.
The 5 Steps for CMMC Preparation
Step 1
Assess your compliance against NIST 800-171 and CMMC Maturity Level 3.
CMMC incorporates all 110 security requirements of NIST 800-171, covering 85% of the CMMC Level 3 compliance requirements.
The CMMC covers five maturity levels, and without knowing what level your organization will be required to achieve, the first step is a practical, tailored assessment against NIST 800-171 and CMMC Maturity Level 3. This step enables you to meet current regulatory requirements and prepare for CMMC simultaneously.
Step 2
Document your System Security Plan (SSP).
Your SSP describes your environment and how you have implemented all of the required security requirements.
Nobody enjoys documentation, but it’s required, and if done correctly, your SSP will be transformational for your organization. Your SSP is not a template; it should become a precise representation of how your organization protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) as it flows through your systems.
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate system vulnerabilities in preparation for CMMC.
Inevitably there will be requirements that you do not currently meet. Requirements not met should have been documented during your assessment, and a POAM “return to green” plan created to meet these requirements. Often, they serve the additional purpose of answering management questions around how much and how long to achieve compliance?
Step 3
Document your Plan of Actions & Milestones (PoAM).
Execute POAM’s and achieve full compliance with NIST 800-171 to prepare for CMMC and become compliant with existing contracts.
Though the focus is on certification, implementation is the long pole in the tent to full compliance for any company. Implementation across the 17 domains of CMMC requires subject matter expertise and determining prioritization of resources based on the results of your assessment. Expect this to be the longest, most challenging part of your journey to compliance.
Step 4
Implement your PoAM & the Required Controls.
Document and implement a plan to leverage internal or external resources to maintain compliance and quickly achieve the required CMMC maturity level.
Compliance is not a one and done activity, and CMMC will require re-certification periodically. Managed services will enable you to maintain compliance over the long haul and avoid the atrophy that can lead to a failed audit.
Step 5
Maintain your NIST & CMMC Compliance.
What is CMMC?
The CMMC model is a set of mandatory cybersecurity requirements that all 300,000+ DoD defense contractors MUST both implement and have the implementation verified by an independent third-party auditor even before a DoD contract can be bid on or awarded. There are no exceptions or waivers; this applies to every DoD supplier, including all prime and subcontractors.
How will CMMC Affect Your Business?
CMMC will be mandatory for all DoD contractors (both prime and subcontractors). Self-attestation will no longer be acceptable as CMMC requires an independent third-party certification. The protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will become a pass-fail contract award criteria.
For a more in-depth explanation of CMMC, please visit: www.encompassit.com/cmmc-questions
