What you need to know about the DoD’s Cybersecurity Maturity Model Certification program

As of November 30, 2020, all U.S. defense contractors are required to assess their NIST SP 800-171 compliance if they are to receive a new contract or extend an existing one.

The obligations are part of the CMMC (Cybersecurity Maturity Model Certification) program, which is designed to help the DoD (Department of Defense) assess cybersecurity readiness when seeking suppliers and subcontractors.

To comply, organizations must have an assessment score, no more than three years old, inputted into the DoD’s SRPS (Supplier Performance Risk System).

In this blog, we help you understand how the CMMC works and share our guidance on how to complete a NIST SP 800-171 assessment.

How does the CMMC work?

The objective of the CMMC is to improve measures for protecting the U.S. defense supply chain by standardizing cybersecurity controls.

Contractors must therefore engage with an independent, certified third-party assessor to verify that the necessary defenses have been implemented. The measures you are expected to apply will depend on the CMMC compliance level to which you are subject.

There are five levels of CMMC, with each level adding additional controls. The DoD determines an organization’s CMMC level depending on each individual contract.

Organizations that fail to comply with the necessary level will lose their contract and may be excluded from receiving future contracts.

Before the CMMC took effect, defense contractors were subject to the DFARS (Defense Acquisition Federal Regulation Supplement), which required organizations to simply attest to the fact that they had adopted the controls outlined in NIST 800-171.

Unfortunately, many contractors reported false compliance claims or otherwise failed to meet their requirements.

That’s why the CMMC is stricter, mandating that organizations complete self-assessments and formally score their 800-171 status.

The DoD’s scoring system must be adhered to, and the post-assessment score must be uploaded to the SPRS.

Contractors must also create an SSP (System Security Plan) and a POA&M (Plan of Action and Milestones) to address any areas of non-compliance before qualifying for future contracts.

Completing your assessment

The stakes are high when it comes to CMMC compliance. If you rush in and make a mistake, you’ve not just lost the time and money spent on the assessment process. You may also lose contracts and threaten your ability to win them in the future.

It’s therefore essential that you take the time to get the process right. For many organizations – particularly those without someone on board with an expert understanding of NIST 800-171 – the best course of action is to get third-party guidance.

That’s where our NIST SP 800-171 DoD Assessment can help. With this service, a consultant will person an in-person review of your systems and identify any compliance gaps.

They will then provide a detailed breakdown of your security posture, and create an action plan that sets out and prioritizes key issues you must address.

Our expert will also produce an SSP that documents and demonstrates how the NIST 800-171 controls are being implemented within your organisation.

Moreover, we will provide an initial assessment score that you can input into the DoD’s SPRS.