Cybersecurity Maturity Model Certification Important Update 2020

It’s been an interesting year and a busy few months with plenty of updates for the CMMC assessment requirements process.  For some background, the CMMC (cybersecurity maturity model certification) was created by the DOD and requires that its 300,000 supplier, primes, and subs (i.e., the Defense Supply Chain (DSC)) become compliant with defined cybersecurity practices and processes at various levels needed for compliance.

In late September, the DOD published an interim rule amending requirements for both DFARS and CMMC compliance.  As described here, the interim rule will go into effect on November 30, 2020, so DSC providers should be aware.

The DOD has overhauled the NIST SP 800-171 assessment methodology in which contractors are already required to be compliant per DFARS 252.204-7012.  Going forward, the DOD will require the contractor to self-certify and verify compliance before new contracts will be awarded.  The assessment methodology has three levels for basic, medium, or high in which the basic assessment can be completed prior to contract award and medium/high after award completion.  DSC providers need to be careful to ensure compliance and implementation requirements or the company might be subject to a False Claims Act violation.  DSC providers can get started with NIST recommendations for self-assessment of the DFARS requirements provided here. 

Another big result of the interim ruling going into effect is that the DOD plans to fully commit and move forward with the CMMC as re-affirmation to companies that part of the DSC begins the process of getting certified immediately.  The DOD has provided a timeline starting in 2021 and going forward with the number of new DOD contracts per year having clauses that state the contractor must be compliant with the CMMC requirements to that contract at award time.  The DSC contractor is [not required]{.underline} to be compliant at the stated CMMC level when bidding on the contract but must be at the required level by award time.  The DOD will also require by FY 2026 all DOD contracts will have a CMMC compliance requirements clause.  Once certified at the chosen CMMC level, the DSC contractor will need to be re-certified every three years or per significant change to the infrastructure or organization.

The CMMC-AB is actively working with the DOD on ensuring a proper rollout of CMMC assessment procedures and requirements.  At this time, it is highly encouraged for DSC contractors to begin getting their company and IT environments ready for CMMC compliance.

Have questions regarding CMMC requirements or the process?  Need help in getting your organization ready for the assessment with security architecture and be compliant with the applicable practices and processes for your needed CMMC Level?  See how Grove can help you prepare for your assessment and properly secure your environment.  Grove is currently seeking RPO status with the CMMC-AB to be certified in helping clients prepare for CMMC assessments.