The CMMC (Cybersecurity Maturity Model Certification) is the new cybersecurity protocol being put in place for DoD (Department of Defense) contractors. CMMC is still being rolled out, so there are constant updates still being made.
The DFARS Interim Rule is one of the updates recently announced that has already begun affecting the compliance requirements of DoD contractors.
While the Department of Defense is focused on getting the CMMC program completed and rolled out as soon as possible, the process is taking longer than previously anticipated. CMMC is now expected to be enacted over a five-year period. Despite the delay, the current method of self-assessment that is used in DFARS standards has proved inadequate for continued use, as the DoD supply chain is still falling victim to cyber attacks, necessitating the introduction of the Interim Rule to make immediate changes.
What the Interim Rule Means for DoD contractors
The purpose of this Interim Rule is to increase contractor security while the process of CMMC implementation is still in development. This rule enacts new requirements, such as a self-scoring methodology and reporting, as well as the announcement of increased audits at Basic, Medium, and High levels of scrutiny.
It will take effect on December 1, 2020, meaning that all contractors who have not completed the scored self-assessment and correctly reported their score will not be eligible for new contracts after this date.
The Self-Assessment must include a System Security Plan (SSP) with a Plan of Action and Milestones (POAM). These pieces will describe the organization’s current cybersecurity implementation and give a plan and timeline for achieving full compliance.
Contractors will also be subject to random audits that will review the scored self-assessment to ensure it is scored accurately.
What To Do Now
The most important thing to do now as a DoD contractor is to get up to date with the Interim Rule requirements so you can remain eligible for DoD contracts. You can do this by receiving a scored assessment, and then working to keep up with any updates to the rules through regular assessments.
Every DoD contractor doesn’t need to have the scored assessment completed by December 1. However, contractors must have the assessment complete before any new contracts can be awarded after that date. Because of this, it’s a good idea to prepare as soon as you can so you don’t miss out on new contracts.