NIST and CMMC Compliance, Oversight and Assurance 

NIST and CMMC compliance readiness review

From the 1st of December 2020 contractors will be required to have up to date NIST SP 800-171 assessment result posted in SPRS.  From January 2021 the DoD will add CMMC certification requirements to new contracts.  In both cases contractors and their subcontractors must have up to date assessment results posted in the DoDs Supplier Performance Risk System (SPRS) if they wish to be awarded new DoD Contracts.

Compliance requirements

New contract award: From 1st December 2020 compliance will be required by DoD contractors and subcontractors to DFARS clauses 252.204-7012, 252.204-7019, 252.204-2020 and 252.204-7021.  Contractors and subcontractors will input their compliance results to the DoD SPRS system.  DoD Contracting officers will be required to evaluate those inputs to the SPRS system and contractors which do not have upto date assessments input will not be awarded new DoD contracts.

Legal sanctions:  The Interim Final Ruling (IFR) assumes that companies who were contracted by the DoD and where DFARS Clause 204.252-7012 was applied, should already comply with 110 NIST SP 800-171 security practices.  Compliance was required from December 2017 and with contractors self attesting to their implementation of the associated 110 cyber security practices.  Flowing these requirements by contract down to their subcontractors.

Under the DoD Assessment Methodology (DAM) defined in the new ruling contractors and subcontractors are required to evaluate their current compliance to NIST SP 800 – 171.  Publish this ‘basic’ assessment in SPRS and potentially undergo separate DoD ‘medium and high-level’ assessments.  Under the CMMC requirements in the new ruling contractors and subcontractors will be required to submit a certificate of CMMC compliance.  Issued following an independent assessment by accredited assessors, from accredited assessment organisations and publish these results in SPRS.

When DAM results are submitted to SPRS and when CMMC accreditation assessments take place.  There is the potential to challenge deviations from the original DFARS 252.204-7012 self-attestations results.  Contractual commitments taken on by contractors and flowed down to subcontractors when NIST requirements were added to contracts by the DoD, with a expectation of compliance from December 2017.

Moving forward:  It is important that contractors and subcontractors assess and manage their current compliance to NIST SP 800-171, applying 110 cyber security practices.  CMMC compliance requires contractors to apply between 15 and 171 cyber security practices across 5 maturity levels.  Levels which will be defined by the DoD on a contract by contract basis based upon the Controlled Unclassified Information(CUI), from CMMC level 1 to 5.  Requirements which must be flowed down through contracts from contractors to subcontractors, for the protection of CUI and Federal Contract Information (FCI).

It is important that contractors and subcontractors consult their General Council with respect to the legal consequences of the Interim Final Ruling and the appropriate DFRAS compliance.

NIST SP 800-171 Oversight & Assurance

For new contracts, contractors and subcontracts must assess and manage their compliance to the 10 NIST SP 800 – 171 security practices.  Submitting results to the DoD Supplier Performance Risk System (SPRS).

We work with clients to support the oversight and assurance of NIST SP 800 – 171 compliance.  Including

  • The development of the NIST assessment programme.
  • Management of the NIST assessment programme.
  • Oversight and assurance of existing cyber security capabilities in line with NIST and CMMC requirements.

CMMC Oversight & Assurance

The DoD will add CMMC requirements to new contracts starting in 2021.  The levels are likely to be at level 1 and level 3.  Requiring contractors and subcontractors to have CMMC certificates for the 15 (FCA security practice) at Level 1 or 130 (NIST 110 plus 20 additional CMMC security practices) at level 3.  Maintaining CMMC compliance through the life of the contract.

We work with clients to support the oversight and assurance of CMMC compliance, prior to a CMMC certificate assessment.  Including

  • The development of the CMMC oversight and assurance programme.
  • Management of the CMMC assessment programme.
  • Oversight and assurance of existing cyber security capabilities in line with NIST and CMMC requirements.

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts