This rule calls for immediate cybersecurity self-assessment from DoD contractors and describes expectations for full CMMC implementation over the next five years. <\/p>\n\n\n\n
Failure to acknowledge and plan for the immediate and future requirements of the interim CMMC rule may result in lost business and contracting opportunities.<\/strong> <\/p>\n\n\n\n The DoD\u2019s Cybersecurity Maturity Model Certification (CMMC) is a combination of standards and processes that builds upon NIST SP 800-171. NIST SP 800-171 is a codification of the requirements that any non-Federal computer system must follow to store, process, or transmit Controlled Unclassified Information (CUI). <\/p>\n\n\n\n The CMMC combines existing cybersecurity FAR \/ DFARS clauses, NIST SP 800-171 requirements, CMMC practices, and CMMC processes into a five-tier certification program The DoD describes CMMC as a \u201ccomprehensive and scalable\u201d certification framework. Additionally, CMMC certifications will be conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs). <\/p>\n\n\n\n The NIST SP 800-171 DoD Assessment Requirements (see new DFARS clauses 252.204-7019 and 252.204-7020) are a bridge between the current DFARS cybersecurity clause 252.204-7012 and full CMMC contract implementation. The newly released interim rule instructs contractors to perform and submit \u201cBasic\u201d self-assessments through the Supplier Performance Risk Systems (SPRS). It also requires contractors to allow DoD access to conduct \u201cMedium\u201d and \u201cHigh\u201d level assessments as deemed necessary. <\/p>\n\n\n\n The new DFARS provision 252.204-7019 advises offerors to implement the NIST SP 800-171 standards (including contractors with DFARS clause 252.204-7012) to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award. <\/p>\n\n\n\n The provision requires offerors to ensure the results of any applicable current assessments are posted in the Supplier Performance Risk System (SPRS) and provides offerors with additional information on conducting and submitting an Assessment when a current one is not posted in SPRS. <\/p>\n\n\n\n DFARS As of November 30, 2020, in order to be considered for awards, renewals, options, task orders, or other actions, contractor<\/strong>s<\/strong> will need to have a current assessment for each covered contractor information system that is relevant to the offer posted to the Supplier Performance Risk System (SPRS).<\/strong> <\/p>\n\n\n\n In simpler terms, all DoD or potential DoD contractors (and subcontractors) need to review the interim rule and assessment clause as soon as possible and take any required actions to prevent interruptions or denials of awards. <\/strong> <\/p>\n\n\n\n According to the interim rule and clause, it may take up to 30 days for scores to post to SPRS, so it is imperative that affected contractors provide self-assessments as soon as possible in advance of the November 30, 2020 date. <\/p>\n\n\n\n Additionally, DFARS provision The CMMC will apply to all DoD solicitations and contracts starting on or after October 1, 2025. In the meantime, DoD will selectively include the clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements in solicitations as part of a phased rollout. <\/p>\n\n\n\n Contractors continuing or seeking to perform work with the DoD will need to determine the appropriate CMMC level to certify and maintain. Not meeting the CMMC level requirement upon solicitation release may limit a contractor\u2019s ability to bid or receive an award. Given CMMC certifications will be conducted by C3PAOs, advanced planning is required to secure certification prior to solicitation release. <\/p>\n\n\n\n Below is a brief description of CMMC level requirements: <\/p>\n\n\n Based on descriptions published within the interim rule, Level 2 is intended as an optional, immediate step between Level 1 and Level 3. Levels 4 and 5 are meant to promote security standards when contractors may face advanced threats. Hence, it can be expected that many contractors will be targeting certification at Level 1 or Level 3. <\/p>\n\n\n\n Also, note that Level 1 references FAR clause 52.204-21. While CMMC is a DoD program, this FAR cybersecurity clause is generally incorporated across agency contracts, so it is not outlandish to speculate that non-DoD contractors may become subject to a program like CMMC in the future. <\/p>\n\n\n\n In summary, contractors, whether DoD or non-DoD, should assess their business\u2019s current cybersecurity implementation, take stock of existing contract cybersecurity compliance, and begin planning for the CMMC rule and certification levels based on anticipated future federal contracting activity. <\/p>\n\n\n\n With the essential framework of CMMC, the new DFARS clauses, and DoD assessment methodology all well defined in the interim rule\u2019s publication, all federal contractors should conduct a serious, methodical review of cybersecurity implementation and federal contract compliance. DoD contractors who are subject to DFARS cybersecurity clause 252.204-7012 need to give extra attention to the rule and begin immediate implementation and planning. <\/p>\n\n\n\n Additionally, DoD contractors need to quickly identify if they are subject to the NIST 800-171 DoD Assessment Requirements and make plans to submit the company\u2019s system self-certification to SPRS for posting by November 30, 2020 or as soon as practicably possible. Prime contractors will want to notify subcontractors of the assessment requirement and flow down the requirement as applicable. <\/p>\n\n\n\n DoD and all other federal agency contractors should review the interim CMMC rule and determine their specific business approach to certification level and third-party certification engagement. <\/p>\n\n\n\n Failure to acknowledge and plan for the immediate and future requirements of the interim CMMC rule <\/strong>may<\/strong> result in lost business and contracting opportuni<\/strong>ties.<\/strong> <\/p>\n\n\n\n If you have questions regarding the near and long-term business impacts of DoD\u2019s Cybersecurity Maturity Model Certification to federal contractors, please contact Government Contracting Specialist and Senior Finance Consultant, Zach Ficklin at Ryan & Wetmore, P.C. <\/p>\n\n\n\nWhat are the Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171 DoD Assessment Requirements?<\/strong> <\/h3>\n\n\n\n
Which Federal Contractors Need to Take Immediate Action Under DoD\u2019s New Assessment Requirements?<\/strong> <\/h3>\n\n\n\n
What About Longer-term Decision Making For CMMC Implementation?<\/strong> <\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.ryanandwetmore.com\/rwblog\/wp-content\/uploads\/2020\/10\/2-1-410x1024.jpg\")
<\/figure>\n<\/div>\n\n\nSummary & Next Steps with Regards to DoD\u2019s Interim CMMC Rule<\/strong> <\/h3>\n\n\n\n