While one of the interim DFARS rules allows for CMMC, the process is still unfolding and those requirements will phase in over the next five years.
No, it's not going away!
But the immediate priority is back on NIST SP 800-171 and if you are not in compliance with DFARS -7019, you may be INELIGIBLE for any DOD award.
In a nutshell, DoD is asking you to take your System Security Plan (SSP) - a DFARS 7012 requirement since December 2017 - and apply a scoring algorithm to it and post the score.
While its not the most intuitive algorithm, its pretty straight forward once you read the rules; start with 110 points and deduct 1, 3, or 5 points for each -171 item not fully implemented.
Your score (negative 203 to positive 110) is then loaded in SPRS and checked before any contract action.
In practice, this has sent the DIB into a frenzy since somehow many (most?) companies never bothered to do a SSP despite attesting that they had.
If you have an SSP it will take less than 30 minutes to score the plan.
If you don’t have a SSP, you have a problem.
I’ve paraphrased some information from the DoD Procurement Toolbox below, but the gist of it is that since 30NOV20, you must have a summary level score and expected full compliance date with NIST 800-171 in the SPRS (Supplier Performance Risk System.)
How You Can Fix This (NIST Compliance)
Whatever you do, don’t make up a score and load it – that makes it worse. If you’re a small business with multiple primes, don’t lie when they send you a form letter asking for -7012 and -7019 status and your compliance with NIST 800-171.
Building a SSP and associated POA&M is not trivial. You must document your policies, procedures, tools, and technologies used for each of the 110 requirements. Some are pretty straightforward and obvious; most are not. Since its self-assessed you get to make the decision if what you are doing meets the letter and intent of the control but you must ask yourself if an outside auditor will feel the same way. Remember, this is the ground work for your CMMC L3 audit in the future.
Download a template - you can get a free one from NIST. BUT you still need to fill in ALL the details. The templates available are really just outlines. If you must download, don’t pay for one; it won't make the process any easier.
Subscribe to a tool - we recommend the DHS CSET cybersecurity evaluation tool. There are plenty of other online tools available that will walk you through the controls and give you a place to include your information. Most are not cheap but will give you a starting point.
Get help from a third party consultant. At Ntiva, we're doing a CMMC gap assessment, delivering an 800-171 compatible SSP and POA&M, and scoring the plan - all in one project.
I Have My NIST Score - Now What?
Log in to SPRS (Supplier Performance Risk System) through PIEE, load the summary score and the date you expect to reach a perfect 110. Here is everything you need to know about the SPRS process including training videos.
As a side note, many contractors apparently do not have access to these systems. Check with your in-house contracts shops and verify before you need to do this. It can take several days to get setup.
Plan on updating your score monthly as you close action items on your POA&M (Plan of Actions and Milestones.)
How Can I Improve My NIST Score?
There is only one way; implement tools, technologies, policies and procedures that close gaps in your current system. Easier said than done.
- If you have a small IT shop inhouse, you are not likely to make much progress on your own. There are just too many things to address.
Get outside help on the IT side. At Ntiva, our standard agreements help you address more than 90 of the 130 CMMC requirements.
Engage the rest of company. While IT centric, NIST and CMMC compliance require involvement of the Exec Team, HR, Contracts, PMs, and others. They can (and must) be part of the process. In many controls, IT is really the tail of the dog and other back-office departments need to take the lead.
Bottom Line Advice on NIST Compliance From Frank!
As many of you know, I've spent 20+ years in the federal space, mostly with small and mid-sized businesses. If I were still in that business, here's what I'd be doing:
Update my SSP and close as many POA&M items as possible to maximize my assessment score (If you don’t have these yet, it takes weeks to create accurate ones – get help!)
Load my score into SPRS (while not hard, some companies have had access issues)
Address the low hanging fruit on the policy and technology side
Update my SPRS score no more than monthly
Generate a plan to address all the policy and process requirements in CMMC and divide it up - it's IT centric but its not owned by IT
Target my technology rollout for the first few months of 2021 and match my policies and process to any tech changes (you need to demonstrate maturity to pass your CMMC audit, when the time comes.)
Need more information on NIST or CMMC? Sign up for a consultation with one of our cyber experts to figure out your next steps!