February 11, 2021
Good afternoon, everyone!
Hot Topics in the CMMC Ecosystem
There is no shortage of CMMC-related webinars these days. Some are extremely informative, some not so much. Here are my best tidbits from the past two weeks:
To Self-Assess or Not to Self-Assess?
The interim rule 7019 clause that became final on November 30 (requiring all contractors to perform a self-assessment on the 110 controls of NIST 800-171 and enter the score into the Supplier Performance Risk System (SPRS) database) has been a hot topic. It seems that the DoD is still mostly saying this applies to everyone, not just those who handle CUI, although most everyone outside the DoD doesn’t read it that way. Should you do this, or not? I would say that if you handle CUI, then yes, you need to do this right away. Not having a score in SPRS (no matter how bad it is, even negative) will prevent you from not only future contracts, but options and mods on current contracts. I have clients already receiving the new 7019 clause in options on existing contracts. If you don’t handle CUI, I would go ahead and do the self-assessment, because it’s a good exercise, and have your score handy. That way, if you are required at some point to have a score recorded in SPRS, you can do this quickly. Better safe than sorry, right?
The Pilot Contracts for 2021
The first pilot contracts requiring the CMMC were announced on December 15. I would urge you to review this list to determine whether you think you may be a supplier on one of these contracts. If not, breathe a sigh of relief that you won’t need your CMMC certification this year. Otherwise, roll up your sleeves and get to work! Time's a-wasting.
Don’t Over-Obligate Your Subs
This was interesting to me. Stacy Bostjanick, the OUSD A&S, Director of CMMC Policy, says “Be mindful of how you pass data to your subcontractors. Don’t over-obligate them.” I thought this was great! If primes and sub are careful not to pass CUI farther down the line, when it isn’t necessary, it will be much easier for small businesses to achieve ML1 rather than ML3. (Hint: If you haven’t looked closely at these, there’s an absolute chasm of difference between the two.)
Early Adopters Will Eat Everyone Else’s Lunch
It’s an undeniable fact: the first organizations to achieve CMMC compliance will have a distinct competitive edge over those who are dragging their feet. Next year (FY2022), 75 contracts are expected to be released with the CMMC clause. How many subs will be a part of those 75 projects? A few thousand? Every one of them will require a CMMC certification, at last ML1 (other than micro-purchases under $10k and COTS items). When those primes and Tier One subs go shopping for help, they will have to pass over anyone who doesn’t already have a CMMC certification.
This is why the time to prepare is now. Get out your self-assessment and identify the low-hanging fruit, easy/free/cheap ways to meet a few more practices. Do them. Then tackle the next round and keep going. Pick up your POAM and start closing those open items. Work on writing down your policies and documenting your practices.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!