November 5, 2020
Good morning, everyone!
Yesterday I attended a webinar featuring Ms. Dasha Deckwerth, founder and president of the Stealth ISS group, who is also a CMMC Provisional Assessor. As one of the few people who has completed CMMC assessor training, Ms. Deckwerth has a rare insight into the assessment process, and offered some important information. Here are a few of my notes.
This is Not a Checklist
Ms. Deckwerth began by emphasizing that the CMMC is unlike any other government standard she has worked with (and her experience is extensive). She stated several times ”this is not a checklist, this is about being secure” and further that “this will catch a lot of companies off guard” because they don’t appreciate the difference.
Build a Culture of Security
I know you’ve heard me talk about this! And Ms. Deckwerth talked about it quite a lot also, that the CMMC requires a “culture change” because it’s about real security, not about checking boxes.
The Time to Prepare is Now
Again, I know I’ve said this before, but I can’t say it enough. One of the key takeaways from yesterday’s webinar is that the CMMC assessment methodology requires at least six months of evidence to prove maturity. That means six months of logs or whatever evidence you will be producing in your assessments. You cannot pull this together in a hurry.
DoD Has Gotten Serious About Contractors’ Cyber Security
A related topic discussed by Ms. Deckwerth is the new DoD assessment score that you need to have in SPRS for future contracts, even before the CMMC starts to appear in RFIs and RFPs. The DoD has just issued a notice to formalize the assessment requirements of the new DFARS 252.204-7019 & 7020 clauses in the interim rule (I discussed these in my last CMMC Update). The notice states in part:
The collection of information is necessary for DoD to immediately begin assessing where vulnerabilities in its supply chain exist and take steps to correct such deficiencies. In addition, the collection of information is necessary to ensure Defense Industrial Base (DIB) contractors that have not fully implemented the NIST SP 800-171 security requirements pursuant to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, begin correcting these deficiencies immediately.
Are the alarm bells going off in your head yet? If you handle CUI, the DFARS 252.204-7012 requires you to implement the NIST 800-171 controls. Any contractor in this situation must have an assessment score in the SPRS database to win any new contracts after November 30. The DoD is using this rule to enforce contractors’ compliance even before the CMMC comes into play.
The world has changed, folks. The DoD is serious about risk-based security, not just compliance (though they are enforcing it with a compliance mentality – only so much can change at once!), and this will require a culture change in many organizations. The time to prepare is now, and I can help! Contact me with your questions, and let’s discuss the path forward for your organization.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" --
sign up now!