Here's the bottom line - if you are a DoD contractor and you are not in compliance with DFARS-7019, you may be ineligible for any DoD award. What has changed?!
For the last 18 months or so, the conversation for government contractors was all about CMMC Level 3.
While one of the interim DFARS rules allows for CMMC, the process is still unfolding and those requirements will phase in over the next five years.
Even though you may be reading about delays in rolling out CMMC - it is not going away!
But the immediate priority is back on NIST SP 800-171 and if you are not in compliance with DFARS -7019, you may be INELIGIBLE for any DOD award.
If you sell into the DoD - yes.
In a nutshell, DoD is asking you to take your System Security Plan (SSP) - a DFARS 7012 requirement since December 2017 - and apply a scoring algorithm to it and post the score.
While its not the most intuitive algorithm, its pretty straight forward once you read the rules; start with 110 points and deduct 1, 3, or 5 points for each -171 item not fully implemented.
Your score (negative 203 to positive 110) is then loaded in SPRS and checked before any contract action.
Read more here on how to increase your score on NIST 800-171 Assessments
In practice, this has sent the DIB into a frenzy since somehow many (most?) companies never bothered to do a SSP despite attesting that they had.
If you have an SSP it will take less than 30 minutes to score the plan.
If you don’t have a SSP, you have a problem.
I’ve paraphrased some information from the DoD Procurement Toolbox below, but the gist of it is that since 30NOV20, you must have a summary level score and expected full compliance date with NIST 800-171 in the SPRS (Supplier Performance Risk System.)
Building a SSP and associated POA&M is not trivial. You must document your policies, procedures, tools, and technologies used for each of the 110 requirements. Some are pretty straightforward and obvious; most are not. Since its self-assessed you get to make the decision if what you are doing meets the letter and intent of the control but you must ask yourself if an outside auditor will feel the same way. Remember, this is the ground work for your CMMC L3 audit in the future.
Download a template - you can get a free one from NIST. BUT you still need to fill in ALL the details. The templates available are really just outlines. If you must download, don’t pay for one; it won't make the process any easier.
Subscribe to a tool - we recommend the DHS CSET cybersecurity evaluation tool. There are plenty of other online tools available that will walk you through the controls and give you a place to include your information. Most are not cheap but will give you a starting point.
Get help from a third party consultant. At Ntiva, we're doing a CMMC gap assessment, delivering an 800-171 compatible SSP and POA&M, and scoring the plan - all in one project.
As a side note, many contractors apparently do not have access to these systems. Check with your in-house contracts shops and verify before you need to do this. It can take several days to get setup.
Plan on updating your score monthly as you close action items on your POA&M (Plan of Actions and Milestones.)
There is only one way; implement tools, technologies, policies and procedures that close gaps in your current system. Easier said than done.
Get outside help on the IT side. At Ntiva, our standard agreements help you address more than 90 of the 130 CMMC requirements.
Engage the rest of company. While IT centric, NIST and CMMC compliance require involvement of the Exec Team, HR, Contracts, PMs, and others. They can (and must) be part of the process. In many controls, IT is really the tail of the dog and other back-office departments need to take the lead.
Here are our best recommendations:
Update your SSP and close as many POA&M items as possible to maximize your assessment score (If you don’t have these yet, it takes weeks to create accurate ones – get help!)
Load your score into SPRS (while not hard, some companies have had access issues)
Address the low hanging fruit on the policy and technology side
Update your SPRS score no more than monthly
Generate a plan to address all the policy and process requirements in CMMC and divide it up - it's IT centric but its not owned by IT
Target your technology rollout for the first few months of 2021 and match your policies and process to any tech changes (you need to demonstrate maturity to pass your CMMC audit, when the time comes.)
Need more information on NIST or CMMC? Sign up for a consultation with one of our cyber experts to figure out your next steps!