Enforcing Cybersecurity Compliance for Defense Contractors

By Jason Golden | November 2, 2020

Mark your calendar for November 30, and no, unfortunately it’s not a holiday. It’s the date of a new assessment framework for NIST SP 800-171 and CMMC!

If you’re following the timeline for the Cybersecurity Maturity Model Certification (CMMC) process, then you know that the CMMC compliance mandate within Department of Defense (DoD) contracts is a phased approach over five years. This means that for some organizations, the need to be compliant was some years away. For others, it was more immediate and not slowing down due to a global pandemic. But now, for almost all, compliance with the NIST SP 800-171 Standard, which generally meets CMMC Level 3, is here.

The DoD won’t wait for CMMC to be in all contracts before taking this step leading to CMMC compliance. As of November 30, 2020,they are enforcing NIST SP 800-171 compliance for the defense supply chain.

The interim rule allows contractors to self-certify compliance with a basic assessment.

The NIST SP 800-171 DOD Assessment Methodology is a framework for verifying contractor compliance with cybersecurity requirements. We’ve seen that many companies are still just getting started with CMMC preparation. This new assessment methodology and framework is an opportunity to self-assess compliance and begin working with an experienced partner so you’re ready for the CMMC audit.

The interim rule defines three levels of assessment for NIST SP 800-171. To be eligible for a contract, you must complete the Basic Assessment; the other two levels, Medium and High, are assessments that the DoD may conduct at any time.

You’re then given a summary score representing the number of security requirements from NIST SP 800-171 that you have implemented. Because NIST SP 800-171 includes 110 security requirements, the maximum score is 110 and represents the cybersecurity sophistication of your company.

An external assessment and evidence-based approach are best practices.

It’s important to recognize that this is in a way a phased approach. While you may not be required to provide evidence now, it will be critical for both higher level NIST assessments and CMMC audit preparation. When completing the self-assessment and providing evidence for security requirements, it helps to work with an external partner that has experience in government compliance and comprehensive IT leadership and support.

A risk assessment is an opportunity to assess and identify areas of compliance, non-compliance, or partial compliance with a set of security requirements. The assessment helps to uncover areas of risk for a breach, data, leaks, and other issues. As part of the process, we will test, identify, and rate that risk. This allows for in-depth technical and organizational recommendations, closing gaps, improving compliance, and mitigating critical vulnerabilities. But you likely won’t want to stop there. Resulting from these activities, you’ll have a clear understanding of what needs to happen next. More than just IT, a comprehensive IT and Cybersecurity services partner like Mainstay Technologies can assist in closing gaps and improving how you manage risk.

A new framework like this, in addition to the CMMC framework, is a message from the Department of Defense that cybersecurity is a priority. This process takes time, money, effort, and continuous management. And at the end of the day, meeting compliance is following a set of rules, but companies won’t escape real world cybersecurity threats, which are growing in volume and complexity each year.