Tell me if these ring a bell– the Colonial Pipeline breach, the cyberattack on Scripps Health, the ransomware that hit JBL Foods, even McDonalds, Microsoft Exchange, and the Facebook data leaks. These all happened just this year. The pandemic has seen a rise in cybersecurity breaches at an alarming rate.
Enter the Interim Rule for DFARS 252.204-7012, released last September 2020 and came into effect last November 2020. It aims to make CMMC (Cybersecurity Maturity Model Certification) the cybersecurity framework for all Department of Defense contracts, it also directs contractors that they need to undergo a self-assessment using the NIST 800-171, and report back to the DoD their achieved scores. This is a requirement to renewing current contracts with the DoD or to submit new bids as well. for both prime and subcontractors.
What is CUI?
The Controlled Unclassified Information (CUI) program was established so that sensitive unclassified information could be protected in a standardized manner, creating a baseline for departments and agencies, academia, industries among others.
NIST 800-171
Since there are a lot of non-federal agencies that make use of CUI, the NIST created 800-171 for contractors and subcontractors. Here are 110 security controls for 14 primary areas aimed to protect CUI. The problem with this method was, self-testing could not be completely standardized. To make the process more efficient, the Cybersecurity Model Certification (CMMC) program was created, the initial version was released last January 2020.
With the CMMC in place, an Accreditation Body will now assess the contractor’s certification levels. Once you pass the certification, it is valid for 3 years.
While waiting for your CMMC certification, you will still need to continue and make sure you pass your self-assessment based on NIST 800-171 controls. The results need to be reported to the Suppliers Performance Risk System (SPRS).
The DoD created new assessment guidelines with NIST 800-171. No longer a pass or fail assessment, the contractor can now score a maximum of 110 points, although, it is very much possible to score a negative on the assessment as some controls and requirements are weighted and not meeting these deducts points from the 110 total.
If the score is less than 110, meaning a security gap was detected, a contractor is required to make a Plan of Action and Milestones (POAM), this should detail the reasons why your score was lower, what steps are being taken to resolve it, and when will it be resolved.
The DFARS rule 252.204-7012 does not outline a score for a contractor’s eligibility, it would be good to note that the DoD will (undoubtedly), consider higher scoring companies than others with a low or negative score. The scores that are submitted to SPRS are very important.
Although they seem to be similar or even entangled, these programs are complementary and help companies get better in their cybersecurity protocols.
The DFARS 252.204-7012 and NIST SP 800-171 are your frameworks, use them to create and oversee your programs for Information Security. Through the DoD assessment, you will know if the systems you have in place are doing what is needful. Your scores will either be a point of pride or a signal that you need more attention to your security. Once you gain your CMMC certification, a whole new world of greater and more complex government contracts opens up as federal agencies are now more confident in your handling of CUI and its safety.
It is quite a read, and even more so to understand from here on in. Why not take a load off and just drop us a line so we can help you in clearing the smoke and #gainingwitts? #Cybersecurity nowadays is a very serious ordeal and compliance is a must for success. Don’t worry, #PWCPA is here if you need a quick Q & A.
#accounting #government #wittscpa #accountinglife #businessgrowth #success #amazingchanges