The CMMC is making progress towards training new CMMC auditors. With the first round of trainees through, they are gearing up to begin the next round. This is an exciting time, and recently we have seen an emergency action that is now included in the finalization of the DFARS rules change.
Approved by the Office of Information and Regulatory Affairs (OIRA), the DoD’s emergency action requires existing DoD contractors to immediately submit either a self-assessment OR a medium/high assessment conducted by a DoD assessor.
This Emergency Action has been incorporated into the rules change to DFARS clause 252.204‐7012, which defines what is and is not CUI/CDI. This will play significantly into the rollout of CMMC.
Previously, the DoD accepted self-attestations that the contractors were compliant with NIST
800‐171/DFARS and contractors believed the risk of an audit would be low. Because of this, it was not uncommon for contractors to not implement the controls they should have had all along. This new Emergency Action will force all current contractors to show evidence of compliance. For those following the guidelines, this will be simply a paperwork headache; those that were not will be scrambling to shore up gaps. Thus becoming a major problem for contractors not as forthcoming as possible on their original self-attestations.
So what should you do regarding the Emergency Action? Ensure you have a good handle on your cybersecurity infrastructure. If you are using the NIST 800‐171 standard as your baseline, you will be compliant with the current standard and get you most of the way there for CMMC maturity level 3. Partnering with an MSSP like Summit Business Technologies will give you access to teams that are well versed in the standards and the ability to walk you through the entire process of completing POA&M to fulfill the gaps found during the assessment. You can book a call with us anytime.
Following our 4-step plan will help you maintain a proper cybersecurity framework:
Our in‐depth assessment will help identify and categorize the gaps and proficiencies in your current infrastructure. Our vulnerability scan will provide you a list of where your network is most vulnerable to attack.
We provide a complete SSP and POA&M necessary for NIST 800‐171 compliance, and in addition, we offer a high-level estimate of remediation options. These documents will be the baseline of your framework and will need to be updated periodically.
3. Plan and Implement
Having your baseline of where you are and where you need to go is excellent. Moving forward, you need a roadmap to get you from A to B. Our team will develop a system design and architecture to identify the best possible plan for updating your cybersecurity infrastructure and remediating gaps. Once the road map is set, we can then provide the right tools and write the policies and procedures you might need.
The world of cyber threats is ever-evolving, which means your cybersecurity infrastructure will need to evolve as regularly as the attacks it is defending against. Our team of engineers will continually work with you to ensure all supporting documents are updated and ensure you have access to the best security resources.