Cybersecurity Maturity Model Certification (CMMC)
– PJR is now a provisionally recognized 3rd party certification body for CMMC.
Attention all CMMC clients:
As of December 1, 2020, DFARS clauses 7019, 7020, and 7021 have been officially implemented.
Clause 7019 includes requirements contractors to maintain their assessments and report them properly as well as for contracting authorities to award or withhold award based upon properly-reported assessment results. 7020 outlines the requirements of NIST 800-171 DoD Assessment, and will appear in all DoD solicitations and contracts, task orders, or delivery orders. Finally, DFARS 7021 introduces the Cybersecurity Maturity Model Certification (CMMC) requirements into the federal regulatory framework. With the support of 7021, the Department of Defense’s phased rollout of CMMC to ensure that all contracts, task orders, solicitations, etc. will include CMMC requirements by October 1st, 2025.
For more information, click here, or contact PJR to learn more about CMMC.
NIST SP 800-171 DoD Self Assessments
The DFARS Interim Rule makes having a self-assessment in SPRS a requirement to win a new (or re-competing) contract after November 30th. Hopefully you are well on your way to submitting these assessments as November 30th, 2020 is the implementation begin by date you must meet.
This very popular article from cmmcaudit.org has step by step advice for submitting your assessment. www.cmmcaudit.org/how-to-submit-a-nist-sp-800-171-self-assessment-to-sprs
What is it?
CMMC is a framework encompassing a range of maturity levels ranging from basic cybersecurity hygiene to advanced with the intention of combining multiple cybersecurity control standards (i.e. NIST SP 800-171, ISO 27001, etc.) into one standard. In addition to cybersecurity control standards, a measure of maturity will be taken of a company’s practices and processes.
Created by the Department of Defense (DoD), CMMC is just one part of a government-led effort to protect the US defense supply chain from interference or sabotage in the form of cyber threats. In 2015, the DoD published the Defense Acquisition Federal Regulation Supplement (DFARS), mandating private contractors must adopt cybersecurity standards that subscribe to the NIST SP 800-171 cybersecurity framework. CMMC has been created in order to ensure the proper levels of controls and processes are in place due to the slow adoption of DFARS regulations.
What are the levels?
There are five levels within CMMC, ranging from basic to advanced. At the most basic levels, a DoD contractor must implement a minimum of 17 practices from the CMMC framework. In contrast, at the “Advanced/Progressive” Level 5, a contractor must implement 171 practices from the framework.
Who does it apply to?
CMMC is intended for current or prospective United States Department of Defense contractors and subcontractors.
What can we do?
While available information is limited regarding what CMMC certification will involve, there is an early version 1.0 model released containing practices required for each level. With this resource, we are able to provide a pre-assessment determining an organization’s readiness level to achieve CMMC certification depending upon target level and strategic direction. Upon completion of a pre-assessment, clients will have a clearer understanding of any gaps in their systems and what steps will need to be undertaken to close them before a full CMMC audit.
To learn more about CMMC or how PJR pre-assessment may help you prepare, contact us at (248) 358-3388.