To guide the process of transitioning from DFARS 252.204-7012, the original
requirement of satisfying NIST 800-171 controls through self-attestation, to CMMC,
certification by an authorized independent assessor, the DFARS Interim Rule was
created. The Interim Rule contains the following DFARS clauses:
252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
252.204-7020, NIST SP 800-171 DoD Assessment Requirements
252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirement
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model (CMMC) framework was originally developed by Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory and funded by the Department of Defense (DoD). The CMMC consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks and other references as well as inputs from the Defense Industrial Base (DIB) and DoD stakeholders. The CMMC is a formal requirement of Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 applying to those DoD contractors who process, store, or transmit Controlled Unclassified Information (CUI). When effective, CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro purchase threshold. CMMC 2.0 was announced in November of 2021. CMMC 2.0 is a streamlined model that reduces assessment costs with high accountability, collaboration and flexibility. CMMC 2.0 is currently in the rulemaking phase to become a permanent part of Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R.
DoD contractors AND subcontractors MUST:
-
Complete a NIST SP 800-171 Assessment
-
Upload Assessment scoring and required documentation into the Supplier Performance Risk System (SPRS)
-
Achieve the appropriate CMMC level certification as required by the contracting documents/solicitation
SCA is a Cyber AB Registered Practitioner Organization (RPO) and offers the below services to help DoD contractors satisfy DFARS and CMMC requirements. View our CMMC marketplace listing here.
NIST 800-171 DoD Assessment
Following DFARS 252.204.7020 requirements, SCA will evaluate your organization
against the 110 controls found in NIST 800-171. Our process includes a gap analysis of
controls, scoring per the NIST 800-171 DoD assessment methodology and creating the
Plan of Action and Milestones (POAM) required to address partially implemented or
missing controls.
System Security Plan
Following our over 16 years of helping organizations document information
security policy, procedures, and employee use guidelines, SCA offers a three tier
System Security Plan program:
-
Review of existing System Security Plan including recommendations for improvement,
-
Revising existing or developing a new System Security Plan,
-
Annual review and maintenance of the System Security Plan to account for changes in people, processes, and technology.
CMMC Readiness Assessment
Depending on your required CMMC Level, SCA offers a gap analysis for CMMC Levels
1 – 3 that will review the following:
CMMC Level 1
CMMC Level 2
CMMC Level 3
CMMC Level 1
Basic cyber hygiene including 17 practices from Federal Acquisition Regulation (FAR) Clause 52.204.21
CMMC Level 2
Advanced cyber hygiene covering 110 practices from NIST 800-171
CMMC Level 3
Available when full details are released for level 3.
Reach out to us to schedule a consultation and learn more about our cybersecurity assessment and advisory services. We will help elevate your security and demonstrate your compliance so that your organization can grow and thrive.
Contact Us Today For Free Consultation
(727) 571-1141
