Recently, the Department of Defense (DoD) released CMMC v2.0. This new version streamlined the original v1.0 from 5 levels down to 3, and walked back the third party audit requirements to exclude all companies at Level 1 and some companies at Level 2. Companies no longer have to be fully compliant at the time of the contract, and v2.0 brings back Plan of Action and Milestones (POA&Ms) to address any deficiencies.For more information about v2.0 check out our website here.
While there are undoubtedly going to be more changes as the DoD continues the rulemaking process, one thing is going to remain constant for the vast majority of companies in the Defense Industrial Base (DiB). NIST 800-171 compliance. NIST 800-171 compliance is already a requirement for all contractors, but an audit from 2015-2017 showed that the typical contractor is only approximately 60% compliant, and it typically takes an organization six to nine months to implement necessary changes. Hence, this is the reason for CMMC, and why most companies are going to require a third party audit.
The DoD is serious about beefing up the security of the DiB. This is due to an increase in cyberattacks on the global supply chain from Advanced Persistent Threats (APTs). Even companies that will no longer be required to pass an external audit, and instead will perform an annual self-assessment, will be required to have a senior official sign off on their compliance. This is for one reason, accountability. The DoD reserves the right to at any time audit an organization to verify their compliance, and that senior official will be held responsible for any failures.
Why preparation needs to begin now:
Since 2017, NIST 800-171 compliance has been mandated by DFARS 7012. Due to many companies ignoring this, external audits for compliance could be here in as little as 9 months when they finish the rulemaking process. Even now, companies can be fined by the DoD and they will hold senior executives responsible for non-compliance.
Conducting internal audits, developing a plan and remediating gaps can take most organizations several months or even years. It is better to start now and make sure you are ready for an external audit, then to put it off and be scrambling when they finish the rulemaking process and an external audit is required. For those that don’t pass, you only have 90-180 days to develop a POA&M and remediate any deficiencies. That is not a lot of time to develop and execute a plan, and organizations who wait to do this will end up paying a lot more for these solutions than if they started now.
What are the next steps for you and your company?
Begin With a Self Assessment
Organizations are currently required to upload their SPRS (Supplier Performance Risk System) scores for their DFARS requirements. This is a great place to start, and if you haven’t completed a recent one then you can download our example walkthrough here. It is very important to be honest in these evaluations, as previously many companies claimed they were compliant with DFARS, but the DoD found this to be far from the truth.
Get CMMC and DFARS experts to go over your self assessment results
As previously mentioned, although you may think that you’re compliant with CMMC requirements, the DoD found that the typical company is only approximately 60% compliant with the previous DFARS requirements. An expert will help you go over any shortcomings you already know about, and uncover any gaps you don’t know were there. You can schedule a free 30 minute consultation with one of our experts here.
After getting expert advice, it’s time to implement their recommended solutions. We can help develop any processes or programs with our experts, and you can learn more about the different types of security solutions we provide here that map directly to the CMMC requirements. These include a 24×7 SOC, threat detection and monitoring, SIEM, Endpoint Detection, and Network Detection
Conduct an Internal Audit
This is the final step before the actual audit. Our audit professionals will conduct a final walkthrough before the C3PAO to make sure that everything is ready. Contact FirstCall Consulting today at email@example.com