How DoD Contractors Can Prepare for CMMC

Department of Defense (DoD) contractors working in the U.S must implement the NIST 800-171 cybersecurity framework in order to comply with DFARS and prepare for an upcoming CMMC audit.  As a NIST Consultant, K2 Tech Group is your local CMMC Compliance Consulting services company in the Greenville, SC area. 

As of 2020, the Department of Defense issued the official version of the Cybersecurity Maturity Model Certification (CMMC), which outlines the cybersecurity regulations that must be adhered to receive any new contracts from the DoD.  The security framework mandated will confirm the different levels of cybersecurity DoD contractors have. These measures have been put in place to verify that there is an appropriate level of cybersecurity present in all businesses with contracts with the DoD.  The CMMC certification will cover cyber hygiene and the protection of controlled unclassified information (CUI). CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. 

Under the new CMMC regulations, it will no longer be possible for organizations to self-certify like contractors were able to do so previously. DoD will be authorizing independent third-party auditors to begin assessing organizations seeking certification from the mid-2020 onwards. 

How Does K2 Help with CMMC Interim Rule?

The DoD is issuing an Interim Rule to amend the DFARS to implement a DoD Assessment Methodology and CMMC framework to assess the contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. 

Under the new regulations, all contractors will be required to publish a score representing their NIST 800-171 compliance progress before they can receive a contract. In addition to the score, contractors must also publish a date by which all requirements will be implemented.

How Interim Rule Impacts NIST 800-171

The government will utilize a vendor report card system called the Supplier Performance Risk System (SPRS) to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”

The assessment referenced above refers to a score that is created through a review of your NIST 800-171 implementation as described in your System Security Plan. This means, your 

organization will need to have an SSP in place in order to perform this assessment. 

The Benefits of Working with a NIST Consultant

NIST Consultants help Department of Defense (DOD) contractors throughout the U.S implement the NIST 800-171 cybersecurity framework in order to comply with DFARS and prepare for an upcoming CMMC audit. 

NIST Consultants do the following…

  • Perform a detailed assessment to determine your compliance level. 
  • Develop your Systems Security Plan (SSP) and Plan of Action & Milestones (POA&M)
  • Implement the necessary security controls and requirements in NIST SP 800-171

As you prepare for an audit to determine your level of CMMC, partnering with a managed service provider like K2 Tech, who is experienced and well versed in the new CMMC regulations and DFARS Compliance, will help to address your concerns and help understand the gaps in your security and compliance plan.  Request a CMMC Gap analysis today.