In response to increasing cyber threats, the US Government added the CMMC framework to the DFARS in 2020 and updated it to CMMC 2.0 in 2021. In 2022, the Securing American Cybersecurity Act (SACA) was introduced.
CMMC 2.0 compliance is an ongoing practice that businesses need to allocate time and resources to. Compliance is determined by the NIST 800-171r2 Assessment. This assessment audits 14 domains of cybersecurity that encompasses 110 individual controls within the framework. Policies and governance of each control must be clearly documented. Businesses need to curate a adequate body of qualified evidence on an ongoing basis to prove ongoing compliance.
· Do you directly hold contracts with the Federal government?
· Do YOUR customers sell directly to the government?
· Does your organization receive research funding from the government?
If you said "Yes" to any of the above, you need to be CMMC 2.0 compliant.
You must assess your cybersecurity posture annually. CMMC 2.0 requires using the NIST CSF (SP) 800-171r2 Assessment Methodology. Assessment scores must be uploaded to the Supplier Performance Risk System (SPRS). Failure to do so will disqualify businesses from new or renewed contracts.
SACA effectively broadens the reach of the Government's risk management by requiring contract holders to exclusively work with CMMC 2.0 / NIST 800-171r2 compliant contractors. Your customers that sell to the government will require proof of compliance in 2024.
Outsourcing your cybersecurity does not make you compliant with CMMC 2.0. Cybersecurity providers offer a valuable service, but they cannot help with your business' policies, governance, and remediation controls as required in the framework. Finally, it's best practice to hire an impartial third party to review your cybersecurity posture and governance requirements. \
Businesses are required to rate themselves based on the implementation of each of the 110 NIST 800-171r2 cybersecurity controls. These assessments must be completed on an annual basis for ongoing compliance and reporting. We recommend enlisting the help of a professional whose assessment methodology and standards will be in-line with an auditor.
Scores range from 110 for a perfect score to -203. Points are subtracted for non-implemented controls. No credit is given for partially implemented controls apart from Multifactor Authentication (MFA) and FIPS-validated encryption. The value of each control is based on the level of impact it has.
Businesses that do not score a perfect 110 are required to submit a formal Plan of Action and Milestones (PoAMs) that detail how the business is taking action to implement each of the missing or unsatisfactory controls. Businesses will need to update PoAMs every year until perfect scores are achieved and maintained.
Talk to a Cyber-AB Registered Practitioner Organization separate from your security operations team to ensure controls are fully implemented and documented within acceptable standards of the NIST 800-171r2 assessment.
To learn more about your CMMC 2.0 requirements, schedule a consultation with a Security specialist!
You Might Also Like...
6820 Shingle Creek Parkway Suite 2 | Minneapolis, MN 55430