Thursday, December 19, 2024

An introduction to CMMC for the small and medium-size contractor (CORRECTED COPY)

I was published this morning in the NH Business Review regarding CMMC for small- and Medium-sized defense contractors. Within minutes of its publish, I received LinkedIn feedback that some of my facts were mixed. Upon further review (and a telephone conversation), he was right. And I figured If this confuses me, I can't even imagine what others must be thinking. The contractor base has been listening to the cacophony of marketing and communications for years, undated with LinkedIn messaging by many, who've never been more than editors and/or self-promoted pundits.

So let's put CMMC aside for a moment. Here's the bottom line: This is directly from the source.

SPRS is required today… 15 controls for FCI and 110 (NIST 800-171) for DoD contracts. 

 

  •  ANY contractor, not just defense contractors, who handle FCI “requires compliance with 15 security requirements in NIST 800-171.
  • Defense contracts have a special bonus. They need to meet 110 security requirements specified in NIST SP 800-171

This, according to the Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations (shown below).


So what about CMMC? CMMC was described to me today, by a Cyber AB board member, as a two-step process. The first just happened. On 12/16 CMMC was announced as final in the Federal Register. The next announcement (which hasn't happened yet) will spell out timelines. This is expected sometime in 2025.


Federal contracts (including defense contracts) involving the transfer of FCI to a non-Government organizations follow the requirements specified in 48 CFR 52.204-21 (Federal Acquisition Regulation (FAR) clause 52.204-21), Basic Safeguarding of Covered Contractor Information Systems. 13 FAR clause 52.204-21 requires compliance with 15 security requirements, FAR clause 52.204-21 (b)(1), items (i) through (xv). These requirements are the minimum necessary for any entity wishing to receive FCI from the US Government Defense contracts involving the development or transfer of CUI to a non-Government organization require applicable requirements of DFARS clause 252.204-7012. This clause requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800-171.

 

Defense contracts involving the development or transfer of CUI to a non-Government organization require applicable requirements of DFAR clause 252.204-7012. This clause requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800-171.


"To comply with DFARS clause 252.204-7012, contractors are required to develop a SSP[15] detailing the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for the required NIST SP 800-171 self-assessment. To comply with 48 CFR 252.204-7019 (DFARS provision 252.204-7019) and DFARS clause 252.204-7020, self-assessment scores must be submitted.[16] The highest score is 110, meaning all 110 NIST SP 800-171 security requirements have been fully implemented. If a contractor's Supplier Performance Risk System (SPRS) score is less than 110, indicating security gaps exist, then the contractor must create a plan of action[17] identifying security tasks that still need to be accomplished. In essence, an SSP describes the cybersecurity plan the contractor has in place to protect CUI. The SSP needs to address each NIST SP 800-171 security requirement and explain how the requirement is implemented. This can be through policy, technology, or a combination of both."


BREAK BREAK: What's the difference between FCI and CUI?  click here to fine out. That's another blog.


This is all very confusing. SPRS and the use of NIST 800-171 are very real. CMMC audits are coming, but for now, SPRS is required by FAR.


Need help? Reach out... staysafeonline@trustedinternet.io.