Work continues on the framework including the development of Levels 4 and 5 , but when the phased roll-out is complete , any contractor or subcontractor will have to have some level of CMMC in order to even bid on a DoD contract .
Accreditation
As of the time of printing this story , no CMMC assessments have been formally authorized , but the tools for doing so are currently being developed by the CMMC Accreditation Body in partnership with the DoD . The Accreditation Body is responsible for CMMC audits , accreditation and training of CMMC Provisional Assessors and third-party assessor organizations ( C3PAOs ). This organization is working to grow the number of authorized resources available to companies across the country and maintains a website , https :// www . cmmcab . org , with a listing of approved resources and other official information related to CMMC .
Intermediate Reporting Requirements
While the CMMC process is being rolled out , an intermediary step in DFARS reporting was added in 2020 . New rules require companies to report their compliance with DFARS / NIST SP 800-171 through the Supplier Performance Risk System ( SPRS ). The resulting SPRS score provides feedback about compliance and has increased the focus on the need to adhere to current NIST SP 800-171 standards in addition to preparing for CMMC .
By self-attestation through the SPRS and contract agreements , companies are declaring that they are currently in full compliance with the required controls .
Should they not truly be in compliance , they are at risk of being sued by the federal government under the False Claims Act , which carries a penalty of three times the value of the contract and $ 11,000 + per claim .
Action Steps
Meline and Alex Stanton , Managing Partner at cybersecurity company ExBabylon , report that many of the companies they work with fall short of meeting the NIST SP 800-171 standards and they advise company leaders to ask questions of their team about their system security plan rather than assuming all is well . Stanton says that leadership needs to be actively involved with cybersecurity planning ,
“ This isn ’ t an IT problem . It ’ s a business strategy that requires top down decision making and the massive collaboration of an internal team , often with the assistance of outside expertise to effectively address .”
In tackling the required cybersecurity controls , the experts recommend that current DoD contractors confirm NIST SP 800-171 compliance or address issues immediately while simultaneously initiating a soft CMMC readiness program .
36 NORTHWEST AEROSPACE NEWS