If you are a Government Contractor with a DFARS 252.204-7012 clause in your contract, the U.S. Department of Defense has announced a new interim rule, which goes into effect on November 30, 2020.
The Cybersecurity Maturity Model Certification (CMMC) Interim Rule was issued on September 29, 2020, to accelerate government contractors’ preparation for when the CMMC goes into effect. Despite the fact that CMMC is projected to go into effect in 2025, the CMMC Interim Rule has renewed its sense of importance. Additionally, the tight deadline has created a sense of panic that could result in an inefficient and costly path towards certification. We encourage all government contractors to take a step back and recognize the importance of properly planning and projecting the path to CMMC compliance.
What are the first steps to CMMC compliance?
The first step towards CMMC compliance is to complete either a self-assessment or a third-party assessment to get a baseline and see how close—or how far away—your organization is from meeting the minimum requirements. The third-party assessment will discover inadequate system setups and processes that may not meet all the required controls. The first step to ensuring your organization’s compliance is to take a closer look at its networks and procedures.
Once you have the third-party assessment’s baseline, you will need to implement a gap analysis to have a better understanding of your organization’s security posture and what areas need to be attended to. Without a proper gap analysis, it is impossible to know what changes your organization needs to make before it meets the required CMMC Level.
The gap analysis will also assist with developing a remediation plan based on the Plan of Action and Milestones (POAM). A remediation plan may involve small corrective actions to a network and/or its processes. In addition, it may involve more extensive changes, including developing compliant networks and policies or processes.
Once the remediation plan is complete and your organization’s systems and procedures are compliant with the appropriate CMMC Level, your organization will have the tools and processes in place to monitor, detect, and report on cybersecurity incidents within the infrastructure.
What does the CMMC mean for the future of government contracting?
As of today, the CMMC Level III Certification seems to be the standard that will be required for contract awards. Therefore, it is extremely important that government contractors are prepared to pass the CMMC audit as soon as possible. If you are not prepared to pass your desired CMMC Level, your organization will run the risk of being unable to offer products and services to the DoD for an extended period, or have your contract revoked altogether.
If you are unsure about your CMMC compliance and completing the self-assessment, contact us as soon as possible to schedule your free consultation. Slate Enclave can help you complete your CMMC self-assessment in a timely manner.