The Department of Defense (DOD) new cybersecurity framework, the Cybersecurity Maturity Model Certification (CMMC) will not be fully rolled out until 2025. However, according to a new Interim rule, beginning November 30, 2020, the DoD will require contractors to have a current (i.e., not more than three years old) security assessment of NIST 800-171 controls on record with the government before awarding any contract. This new requirement calls for a “self-assessment” by the contractor using the DoD Assessment Methodology. The assessment results should be placed in the Supplier Performance Risk System (“SPRS”) to allow DoD programs access to the results and contract compliance score as a criterion for contract award decisions.
The rule can be found here: https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf
The bottom line: All DOD contractors are now required to:
- Conduct a NIST 800-171 controls self-assessment
- Create a System Security Plan
- Score the System Security Plan using the DoD Assessment Methodology
- Submit your assessment score to the Supplier Performance Risk System
Since 2017, MCGlobalTech has helped small business DOD contractors perform NIST 800-171 assessments and develop required compliance policies and security plans. If you need any help with this, we have experts that can provide you a free consultation to get you started.