November 18, 2020
Good morning, everyone!
Last week was a busy one! I attended four webinars on the CMMC and NIST 800-171 self-assessment and I learned a lot. Here are my key takeaways for the week:
All DoD contractors and their suppliers must self-assess the 800-171 controls, even if they don’t handle CUI
I have to say, this one took me by surprise. On Tuesday, John Ellis, Director of the Software Division with the Defense Contract Management Agency (DCMA), discussed DIBCAC assessments and the new requirement for self assessing the NIST SP 800-171 controls and recording your score in the Supplier Performance Risk System (SPRS) database. What surprised me, though, was that he implied that ALL contractors would have to do this, not just those who handle Controlled Unclassified Information (CUI). Up to now, the 800-171 controls only applied to information systems that “store, process or transmit” CUI.
I was already registered for “Coffee with Katie Arrington” Thursday morning, so I logged on early and typed in a question: "Do all contractors need to enter a self-assessment into SPRS or only those who handle CUI? Do contractors who do not handle CUI need to enter the self-assessment?” and I was fortunate that my question was chosen. Ms. Arrington answered me directly that this applies to everyone. She said "Cybersecurity is now in all acquisitions, so December 1, if you are looking for a contract award, and it is not a micro-purchase of less than $10,000 and it does not apply to COTs, so otherwise than that, the CUI is off the table in the fact that everyone needs to register in SPRS their self-assessment." (You can listen to the recording of this session -- my question appears at 23:19)
What does this mean for you? Things have changed. While the 800-171 controls are still (at least for now) only required for those who handle CUI, they are now encouraged for all contractors, and all contractors must self-assess and record their score in SPRS for any new awards after November 30. Primes are responsible for making sure that their suppliers have done this as well. Ms. Arrington stated subs would need to disclose their scores to their primes via NDAs during the contract negotiation phase. I can see this being quite problematic.
If you are totally lost, reach out to me for help.
Mr. Ellis’ parting words were: ”Get fully compliant. Get fully compliant now.”
Biggest problems that show up in DIBCAC assessments
Mr. Ellis explained how the self-assessments can turn into official DoD assessments. He stated that DIBCAC will continue doing official DoD assessments until the CMMC is fully rolled out. If you are chosen for a “Medium” assessment, DIBCAC will contact you. It typically takes 1-2 days and takes place via conference call. “High” assessments are done virtually as much as possible, but there is a requirement for an onsite inspection that typically lasts Tues-Thurs in one week. He identified these problems that most often turn up:
- Multi-factor authentication not fully implemented
- FIPS 140 encryption not in use everywhere required
Mr. Ellis also pointed out that a big problem he has seen is companies who don't have the means to self-report a cyber incident, which is one of the requirements of the DFARS 7012 clause. (Everyone focuses on the 800-171 controls, and forgets there's more in that clause than those 110 controls).
He said “It’s all about preparation – have you followed your own policies?” and “It’s all about consistency.”
Following Mr. Ellis were two attorneys who specialize in this field. They encouraged everyone to make sure the scores recorded in SPRS are accurate. “Make sure you can back it up!”
The first 15 CMMC contracts about to be announced
Ms. Arrington stated that the first 15 contracts to have the CMMC clause will be announced in the next week or so. Each has a different prime, with about 100 subs on each contract, which means approximately 1500 contractors will be certified CMMC in FY2021. They come from all the services. They vary in size; some are sole source and some are IDIQ (indefinite delivery/indefinite quantity).
My guess is that these 15 primes have already passed DIBCAC audits with flying colors and are expected to achieve the necessary CMMC certification without much difficulty. If this doesn’t apply to you, and you are not a sub to any of those 15, this means you most likely have the rest of FY2021 to prepare for your CMMC certification. Don’t waste this time! Remember, the “maturity” in the name requires at least six months of evidence for each practice and process in the CMMC audit.
The time to prepare is now, and I can help! Contact me with your questions, and let’s talk about the path forward for your organization.
New Work(fromhome)shop Dec 15
This online class is an introduction to my "deep dive" series on the specifics of achieving Maturity Levels 1-3 coming up in Spring 2021. Participants in this class will have the first chance at signing up for the spring series.
Tuesday, December 15 @ 10:00 AM - 11:00 AM (CT)
Early Bird Price expires November 23, 2020!
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" --
sign up now!