Do you currently have a DoD contract? Does that contract contain DFARS clause 252.204-7012? If the answer is yes then you are required to implement NIST SP 800-171. Luckily the new CMMC framework draws most of its controls from NIST SP 800-171. So if you have been implementing NIST SP 800-171 controls then continue doing so.
What if you have a DoD contract but are not required to implement NIST SP 800-171 (DFARS 252.204-7012 is not in your contract)? Unless you are selling commercial off the shelf items (COTS) to the DoD then you will likely have a CMMC requirement. At this point (May 2020) you can not be sure which CMMC level you will need to be certified at. As a result, starting to implement CMMC level 1 controls is a good idea. These are cybersecurity practices your company should be following regardless of your contract requirements.
Most Companies are Not Prepared for CMMC
In July of 2019 the Inspector General of the U.S. The Department of Defense released an audit report revealing the findings of security assessments they conducted on DoD contractors. The report looked at their implementations of NIST SP 800-171 security controls. Unsurprisingly the DoD found deficiencies at all of the contractors they assessed.
As you know, with the new CMMC program DoD contractors will be undergoing third-party audits of their security controls. This is to verify that they can protect the federal contract information (FCI) and controlled unclassified information (CUI) residing on their systems. Earning your CMMC will depend on how well your organization prepares for its official CMMC assessment.
Do you have difficulty understanding your requirements?
Let's be honest, the security requirements in the new CMMC framework are difficult to understand. Misunderstanding a requirement and incorrectly implementing it isn’t a risk you should be taking. In the future your ability to work on a DoD contract will be dependent on your implementation of CMMC controls.
How we can help
We developed an easy to use web app that explains all of your CMMC requirements in plain non-technical terms. It tells you exactly what to do and it provides examples. Through the app a cybersecurity professional conducts a custom gap analysis for your company. The professional also creates a project plan for you, all within an easy to use app. Feel free to book a demo with us.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.