CMMC 2.0 and NIST SP 800-171 SPRS Score
CMMC 2.0 (Cybersecurity Maturity Model Certifcation), issued on November 4, 2021 builds upon the initial CMMC framework to enhance Defense Industrial Base (DIB) cybersecurity. The CMMC framework, which is based on NIST SP 800-171, has 110 controls for organizations to achieve Level 2.
The Department of Defense (DoD) expects around 80,000 Defense Industrial Base (DIB) contractors will need a third-party assessment to reach Level 2 compliance for the CMMC 2.0 program – double the previously estimated number of companies.
DoD is Signaling Its Enforcement Intent
DoD indicated that CMMC 2.0 is scheduled to become an Interim Rule in May 2023. Since both DFARS and CMMC require contractors to comply with the same NIST SP 800-171 framework, increased enforcement means that your organization needs to act now to protect its CUI and comply with CMMC 2.0 and related DoD mandates.
As new CMMC 2.0 requirements go into effect early next year, we are anticipating that many contractors and sub-contractors will have to show they have met the CMMC 2.0 controls and can show proof of a 110 SPRS score.
What do I have to do to comply with CMMC?
CMMC is designed to protect Controlled Unclassified Information (CUI) that is shared by the Department of Defense (DoD) with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and CUI is secure.
Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards, and, as required, perform self-assessments or obtain third-party certification as a condition of DoD contract award.
In addition, on December 1, 2021, the DFARS Interim Rule became law reinforcing suppliers need to submit their SPRS score (which can range from -203 to 110) from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS) to avoid lost DoD revenue.
To complete your SPRS score, you must cover 320 assessment objectives with 110 controls. Note: The Interim Rule also requires defense contractors to provide DoD access to its facilities, systems, and personnel as necessary to enable DoD to conduct or renew a higher-level assessment of NIST SP 800-171 compliance. In other words, contractors must allow a DoD review of compliance that dives deeper than the contractor’s own self-assessment.
SPRS Score and CMMC: What you need to do now to be ready
1. Your self-assessment score must be accurate.
Any score you post may be audited by the DoD, meaning you will need to show documentation that you have met each security control in order to justify your self-assessment. If you’ve made up a number based on what you think you’ve probably achieved, or if you fudged the numbers to have a higher score, your DoD contract may not be renewed.
2. If you’re working on your score, you need to have a System Security Plan (SSP) and a Plan of Actions and Milestones (POAM) ready.
In order to complete the score sheet, you must first have an SSP and a POAM in place. Both of these documents are required to meet security standards, and some of the items may seem difficult or impossible to answer.
Note: Both an SSP and a POAM are detailed documents, up to 100 pages each, that usually require working with a CMMC expert to complete.
“The uplift to meet CMMC would not have been possible without CyberCompass. We did not realize how much effort is required until we finished our assessment and got our real SPRS score. We are glad we started our journey more than six months ago so we can be ready.”
CyberCompass can help you achieve your 110 SPRS score and be CMMC compliant
- Performing an impartial third party security risk assessment for CMMC 2.0 (NIST SP 800-171)
- Guiding you in correcting issues and improving your score cost effectively
- Performing pen-testing and internal network vulnerability assessments (scans)
- Creating your System Security Plan
- Creating you Plan of Action and Milestones (POAM) on-demand
- Customizing your policies and procedures and managing implementation across the organization
- Performing table-top exercises using your new incident response plan
- Providing online cybersecurity awareness training
- Providing phishing campaigns
We bring automation and expertise together for a complete CMMC compliance as a service solution for our clients at an affordable price.
- We have been in the cybersecurity and compliance business for over 8 years.
- We save you 65% workforce hours savings.
- Your Commander is a certified practitioner in CMMC.
- We do not sell any technology so we maintain our unbiased advantage for accuracy and integrity as a 3rd party cyber risk management firm.
- We include quarterly external penetration testing and network vulnerability scans (which can cost up to $15,000).
- We hate spreadsheets! So we created a proprietary platform that automates and streamlines your compliance journey.
- Online assessments and surveys
- Prioritized corrective actions (issues) – Risk Management Plan with project management
- Evidence collection, secure vault and secure file share
- Policies and Procedures customized for your organization.
- Task assignments and management and
- Documentation creation (such as SSP, POAM, policy and procedures, incident response plans, etc.)
- We can conduct assessments on multiple regulations from international, federal, state and industry cybersecurity, information security and privacy regulations.
- If you need to be CMMC and HIPAA compliant, we can assess and drive compliance efficiently.
What you can expect from our team:
- We stand with you through audits.
- We pride ourselves on delivering an outstanding customer experience with honesty, integrity, and creating value with our clients every day.