NIST and CMMC Compliance, Oversight and Assurance 

NIST and CMMC compliance readiness review

From 1st December 2020 compliance will be required by DoD contractors and subcontractors to DFARS clauses 252.204-7012, 252.204-7019, 252.204-2020 and 252.204-7021.  Contractors and subcontractors must input their NIST SP 800 – 171 cyber security compliance results to the DoD Supplier Performance Risk System (SPRS) and DoD contracting officers will be required to evaluate those scores prior to awarding new contracts.  From January 1st 2021 CMMC requirements will be added to new DoD contracts.  Contractors and subcontractors will be required to hold and maintain an appropriate CMMC certificate of compliance in SPRS, issued by an authorised and accredited CMMC auditor.  

In both cases requirements which must be flowed down through contracts from contractors to subcontractors.  A contractor or subcontract will not be awarded a new contract or subcontract unless NIST SP 800 – 171 scores or a valid CMMC certificate of compliance have been input into SPRS.

Compliance requirements

Cyber security practices:  DFARS 252.204 – 7012 requires contractors and subcontractors to apply 110 NIST SP 800 – 171 cyber security practices.  It is important that contractors and subcontractors evaluate their compliance to the 110 cyber security practices and remember that when completing the DAM assessment; Plans of Action (POAs) for any single security practice will invalidate the associated practice, reducing the overall compliance score.

When applicable CMMC compliance will require contractors and subcontractors to apply between 15 and 171 cyber security practices across 5 maturity levels.  Levels which will be defined by the DoD on a contract by contract basis, based upon Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  Contractors and subcontractors will be required to undergo an independent CMMC assessment and be issued with an appropriate certificate of compliance.

It is important that contractors and subcontractors consult their General Council (GC) with respect to the legal consequences of the Interim Final Ruling and the appropriate DFRAS compliance.  Given the implications associated with self attestation to DFARS 252.204 – 7012 from December 31st 2017.

NIST SP 800-171 and CMMC readiness review

For new contracts and options, contractors and subcontracts must assess and manage their compliance to the 110 NIST SP 800 – 171 security practices from the 1st December 2020.  From January 1st 2021 CMMC levels will be added to contracts and flowed down the supply chain at the same level.

By the end of 2025 all DoD contracts will have a required CMMC level applied.  Requiring all DoD contractors and subcontractors to be CMMC compliant at a minimum of CMMC level 1.  If the contractor or subcontractors creates, stores or processes CUI the will be required to maintain CMMC level 3.

In both cases the DoD will not award a contract unless cyber security compliance can be proven.

We work with clients to support the oversight and assurance of NIST SP 800 – 171 and CMMC compliance.  Including.

  • The development and management of NIST and CMMC assessment programmes.
  • Oversight and assurance of existing cyber security capabilities in line with NIST and CMMC requirements.
  • Evaluation of NIST SP 800 – 171 and CMMC readiness.

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts