Cybersecurity has never mattered more than it does today. Without proper precautions and security measures, a cyber attack can be catastrophic for businesses, economies, and national security. This is why it is so important for governments and security services to implement advanced cybersecurity measures.
US authorities in the Department of Defense are taking cybersecurity very seriously. The Defense Federal Acquisition Regulation Supplement (DFARS) that was previously used to measure DoD contractors’ security is now in the process of being updated to and replaced by CMMC, which will audit and test organizations’ compliance more thoroughly.
The Purpose of CMMC
The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity standard for DoD contractors. It is expected to be rolled out over a 5-year period. The idea is that this will replace the existing DFARS requirements, and the new initiative has been through a couple of updates since it was first released back in January 2020.
The CMMC is intended to improve cybersecurity processes across the board, and this is why CMMC comes with a verification component. So now, it means that all DoD contractors will be required to pass a CMMC audit in order to become CMMC verified. This helps to ensure that the right security measures are being taken and that all contractors and companies wanting to work with the DoD have the appropriate level of cybersecurity for their business.
The Interim Rule and Current Requirements for CMMC
Although CMMC likely won’t be fully implemented until 2025, there are changes going into effect far sooner than that final date, one of which is the Interim Rule announced in September last year.
The Interim Rule requires contractors to complete a scored self-assessment, as well as implements increased audits designed to corroborate the scored test. This increases transparency levels and holds organizations accountable.
Some key points to keep in mind for contractors looking to adopt these requirements include:
- New regulations went into effect on Dec 1st 2020, so all contractors looking to bid on new contracts that apply must now be in compliance with the Interim Rule.
- Contractors handling controlled unclassified information (CUI) will have to complete their self-assessment and post their score on the SPRS before being eligible for new contracts.
- Additionally, contractors will need to complete a System Security Plan, and a Plan of Action and Milestones (POAM) detailing how they are working toward compliance.
- DCMA will be conducting random audits to check self-assessment results and ensure compliance.
Working with a CMMC Consultant
Because the Interim Rule’s new measures will not allow contractors to begin new contracts until its requirements are met, many DoD contractors rushed to become compliant by the Dec. 1 deadline. Many more have not yet completed all the steps necessary for compliance, but must now step into line or risk downtime while ineligible for new contracts.
To meet the new requirements and remain productive, many contractors choose to work with CMMC consultants who are already familiar with all the steps of the process and have helped other organizations become compliant.
It is important to be aware of the changes that are required in order to ensure you can stay up to date with the Interim Rule, as well as other CMMC changes as they are rolled out over the next several years.