NIST and CMMC Compliance, Oversight and Assurance 

NIST and CMMC compliance readiness review

From 31st November 2020 compliance will be required by DoD contractors and subcontractors to DFARS clauses 252.204-7012, 252.204-7019, 252.204-2020 and 252.204-7021.  Contractors and subcontractors must input their NIST SP 800 – 171 cyber security compliance results to the DoD Supplier Performance Risk System (SPRS) and DoD contracting officers will be required to evaluate those scores prior to awarding new contracts.  It is expected that from mid 2023 CMMC requirements will be added to new DoD contracts.  Contractors and subcontractors will be required to hold and maintain an appropriate CMMC certificate of compliance in SPRS, issued by an authorized and accredited CMMC auditor.  

In both cases requirements which must be flowed down through contracts from contractors to subcontractors.  A contractor will not be awarded a new contract and should not award a subcontract unless a NIST SP 800 – 171 compliance score for themselves or their subcontractor has ben loaded into SPRS.  From 2023 a valid CMMC certificate of compliance will also be required to be input into SPRS.

Compliance requirements

Cyber security practices:  DFARS 252.204 – 7012 requires contractors and subcontractors to apply 110 NIST SP 800 – 171 cyber security practices for the protection of Controlled Unclassified Information (CUI).  It is important that contractors and subcontractors evaluate their compliance to the 110 cyber security practices and over 300 assessment criteria.  Remembering that when completing the DAM assessment Plans of Action and Milestones (POAMs) for any single security practice will invalidate the associated practice, reducing the overall compliance score.  Organisations should maintain both a System Security Plan and POAMS to demonstrate that they understand and are managing their system security and remediating identified gaps in compliance. 

When applicable CMMC 2.0 compliance currently requires contractors and subcontractors to comply with NIST SP 800-171 practices across 3 levels.  Requiring the application of between 17 (Level 1), 110 (level 2) and +110 (level 3) cyber security practices.  Levels which will be defined by the DoD on a contract by contract basis.  CMMC Level 1 contract compliance can be completed by self assessment, CMMC level 2 contract compliance can be completed by self assessment or may require a third party assessment and CMMC Level 3 will require a government led assessment.  Contractors and subcontractors will be required to input a certificate of CMMC compliance before a DoD procurement officer can award a DoD contract.

It is important that contractors and subcontractors consult their General Council (GC) with respect to the legal consequences of the Interim Final Ruling and the appropriate DFARS compliance.  Given the implications associated with self attestation to DFARS 252.204 – 7012 from December 31st 2017, the interim Final Ruling of November 2020 and CMMC proposals.

NIST SP 800-171 and CMMC readiness review

For new contracts and options, contractors and subcontracts must assess and manage their compliance to the 110 NIST SP 800 – 171 security practices from the 31st November 2020.  From Mid 2023 it is expected that CMMC levels will be added to DoD contracts and flowed down the supply chain at the same level.

Requiring all DoD contractors and subcontractors to be CMMC compliant at a minimum of CMMC level 1 if the process Federal Contract Information.  If the contractor or subcontractors creates, stores or processes CUI the will be required to maintain CMMC level 2.

In all cases DoD procurement officers have been instructed not award a contract unless cyber security compliance can be proven by self-assessment, or third part assessment or a Government led assessment.

We work with clients to support the oversight and assurance of NIST SP 800 – 171 and CMMC compliance.  Including.

  • The development and management of NIST and CMMC assessment programmes.
  • Oversight and assurance of existing cyber security capabilities in line with NIST and CMMC requirements.
  • Evaluation of NIST SP 800 – 171 and CMMC readiness.

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts