By Polaris MEP National Network Partner CONNSTEP
October is Cybersecurity Awareness Month, and the overarching theme for this year is “Do Your Part. #BeCyberSmart.” To help Rhode Island manufacturers #BeCyberSmart about cybersecurity, we’ll be sharing posts from MEP National Network experts.
If you’re a Department of Defense (DoD) contractor or a manufacturer in the DoD supply chain who is required to implement NIST SP 800-171 security controls and planning to implement Cybersecurity Maturity Model Certification (CMMC), you know cybersecurity compliance is a must.
The DoD recently issued an Interim Rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS), effective November 30, 2020. A new mandatory construct was introduced with the rule called the DoD Assessment Methodology.
What’s the new DoD Assessment Methodology all about?
It’s a standardized approach to assess contractor application of the cybersecurity requirements in NIST SP 800-171. This step serves as an interim self-certification process before contractors undergo a full CMMC review.
The DoD Assessment Methodology requirement was developed to address perceived shortcomings in the self-attestation process conducted by contractors and their subcontractors with access to covered defense information (CDI) or controlled unclassified information (CUI) under DFARS clause 252.204-7012.
The methodology also includes a scoring system that assigns a weight to each NIST 800-171 requirement and subtracts points for all requirements that are not fully implemented. Some contractors will have a negative score. Contractors must enter their most recent assessment date and score, and the projected end date of their POAM into the DoD Supplier Performance Risk System database (SPRS).
How does the Interim Rule affect CMMC implementation?
With the Interim Rule, the DoD is gradually phasing in the rollout of CMMC. It won’t be until September 30, 2025 that all contracts over a micropurchase threshold will require CMMC certification. Until that time, the DoD will determine which solicitations will include the CMMC requirement.
When the CMMC requirement, DFARS clause 252.204-7021, appears in future contracts, it will be a mandatory flow down to subcontractors at all tiers. The level of CMMC certification applicable to contractors will be based on the sensitivity of the information provided to them. The Interim Rule does not specify whether the government or contractor makes this determination although it implies it will be the responsibility of the contractor.
At this point in time it would benefit you to familiarize yourself with the with the DoD Assessment Methodology and SPRS. If you are not required to implement NIST SP 800-171 security controls because your company does not meet the criteria, be prepared to document why you do not need to conduct a DoD Assessment.
As a manufacturer who participates in supply chains tied to government contracts, you are well aware you must comply with the Defense Federal Acquisition Regulation Supplement. Implementation of the security requirements in NIST Special Publication 800-171 is a must. The DoD Assessment can help provide you with interim documentation of the requirements until full implementation of CMMC is achieved.
Did you attend the webinar about the DoD Interim Rule & CMMC?
Watch this recording of a November 2020 webinar featuring Polaris MEP’s Jean Lehman.
Then, contact us to learn more about the DoD’s Interim Rule and to work together on a DoD Assessment. Click here to submit an online cybersecurity inquiry, or call us at 401-270-8896.
About the Author
CONNSTEP is Connecticut’s Manufacturing Extension Partnership (MEP) Center. The cybersecurity consultants at CONNSTEP work with defense manufacturers in Connecticut to ensure their compliance with federal contract requirements.
Original Post: https://www.connstep.org/cybersecurity-compliance/dod-interim-rule-for-nist-sp800-171-and-cmmc/