As of December 1st 2020, the DoD put in place new rules for vendors. There are now 110 control points that each vendor needs to meet in order to be awarded contracts. These 110 points lead into a new certification that will be required by 2024, the Cybersecurity Maturity Model Certification or CMMC. As of 12-1-2020 every vendor is required to do a self-check of these points, score your system, and report it into the SPUR portal. As 12-1-2020 only scores need to be entered into the system, full compliance with the control points is not required. However, part of the process is an action plan to get into full compliance before 2024 when you will be required to have your full CMMC.
The process can be daunting as most of the control points are written in Government, not to mention the sheer number of points and what they mean. There are publications as well as a website setup to help companies wade through the points. Spectrum.io is a non-profit setup by the DoD to help get through with better questions on each point. Also available is the NIST.HB.162 which goes more in depth with what each control points means, and the resources in your organization that should have those answers.
It’s a lengthy process as many of the points are multi-faceted control procedures that may have to be developed. Another aspect of this certification is having or creating a systems security plan. This plan outlines your specific situation and what you are doing, going to do, to meet these control points. The other part is an action plan of resolution. This plan is required to have dates and processes that you are going to implement in order to get to full compliance with the new regulations.
Over the next few years, you will be able to make changes, correct deficiencies and update your score as often as needed. This is especially courteous as its giving business time to comply without forcing them to fork out what could be a significant amount of money depending on how your system is setup and operating.
Our team at Kitsap Networking Services & Sequim I.T. can help you navigate this process. The initial assessment from NIST 800-171A is a self-scored look, and as of 12-1-2020, the only requirement is to have a score entered in SPUR. Each of the points is weighted so it is possible to have a negative score but still conform to most of the points. With this information, we can create an action plan and even work upgrades and new processes as part of your normal PC maintenance making the process a little less daunting.