The New Interim Rule & What it Means for You
The Office of Information and Regulatory Affairs at the Office of Management and Budget have released a new interim rule that requires all contractors with the DoD to be NIST SP 800-171 compliant starting Nov. 30th, 2020. The interim Rule can be commented on and viewed HERE. The interim rule highlights a push to enforce full compliance and why it should be your top priority. This goes for all systems that contain and process Controlled Unclassified Information (CUI). The interim rule is open for comments until Nov. 30th.
Compliance is the Path Forward for Maintaining Contracts Within the DoD
If your contracts within the DoD space require DFARS 252-7012 (NIST 800-171) controls being met, your company MUST provide a System Security Plan (SSP) and Plan of Actions & Milestones (POA&M). To push it even further, if a contract requires a Cybersecurity Maturity model Certification (CMMC) level, the items on the POA&M must be fulfilled. If the POA&M checklist is not complete, your company will not be at the specified level.
DFARS and NIST are the first step. Additionally, CMMC full implementation is expected by 2025 and the shift has already begun. Contracts are going to start requiring CMMC levels moving forward. Contracts already in place will continue as is and this is the reason for the five-year timeframe to shift into CMMC inclusive contracts. CMMC certification will be necessary before a contract is awarded. The time to focus on CMMC is now.
You Should Be Compliant with DFARS 252.204-7012 Already
DFARS 252.204-7012 (which enforces NIST 800-171) regulations were supposed to be met by Dec 31st of 2017. Unfortunately, not all companies are compliant with DFARS 252.204-7012. Additionally, since all contracts are subject to being audited, this can put many contracts in jeopardy that still lean on their POA&M items for compliance. Contracts that are audited will result in a risk score based on items that are not yet implemented from the POA&M. The time to get on top of your cybersecurity requirements is NOW before an unexpected audit puts a halt on your yearly revenue.
CMMC will be increasingly seen within government contracts and adopted more and more until full implementation in 2025. CMMC combines the basic safeguarding requirements for
Federal Contract Information specified in Federal Acquisition Regulation (FAR) Clause 52.204-213 and the security requirements for CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-1714 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204- 7012 [3, 4, 5]. CMMC breaks down the security requirements into 5 different levels and it is time for your company do create a plan to figure out what level you fall under and preparing for your audit.
Compliance is Not Easy – Here is How InfusionPoints Can Help You
Start with a risk-based approach to increasingly improve your cybersecurity posture by:
1) Establishing scope and prioritizing your business/mission objectives and high-level priorities.
2) Conducting a risk assessment on your information systems that identifies threats and vulnerabilities to the information systems.
3) Creating a current, risk-informed target profile for your information systems.
4) Determining, analyzing, and prioritizing gaps, and by developing an implementation plan to close your gaps and improve the current state of your information systems.
5) Remediating your cybersecurity controls you have in place.
6) Completing a CMMC Audit by a CMMC Certified Third-Party Assessment Organization (C3PAO).
- DoD interim rule - https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
- CMMC level 1 and level 3 information can be found HERE.
- An ongoing blog filled with CMMC updates can be found HERE.
- DFARS Compliance Audits Are Coming blog
- DoD Releases Interim Cybersecurity Rule
- Not Just CMMC: New DOD Rule Creates Two Cybersecurity Assessment Frameworks
- Federal News Network: DoD’s interim rule adds a new twist to implementing cyber maturity mode