Though the DoD has delayed CMMC certification, Defense Contract Management Agency (DCMA) is now enforcing that contractors have all NIST SP 800-171 documentation in place by performing surprise audits. DCMA created the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to examine companies who have self-assessed compliance with NIST requirements at all CMMC levels.
If subject to a surprise assessment, the DIBCAC will initiate contact with the contractor on a Monday and will require them to submit their gap analysis, plan of actions and milestones (POA&M), and system security plan (SSP) by that Friday.1 In order to prepare for any spontaneous audit, companies must complete and ensure the accuracy of the these documents immediately.
NIST SP 800-171 Gap Analysis
First, your organization needs a compliance gap analysis detailing compliance-related activities associated with each of the 110 NIST SP 800-171 cybersecurity requirements. You must assess each control requirement as “fully compliant,” “partially compliant,” “not compliant” or “not assessed.” The result of a NIST SP 800-171 gap analysis is a compliance score, derived from the number of controls a company assesses as “fully compliant.”
In September 2020, the DoD published the DFARS Interim Rule (DFARS 252.204.7012) requiring contractors to report their NIST SP 800-171 compliance score through the Supplier Performance Risk System (SPRS) no later than November 30, 2020. Over a year later, many organizations still have not reported their compliance score. Some organizations have been denied contract modifications or new contract awards because they have not done so.
The compliance experts at InfoDefense have a thorough understanding of each CMMC requirement. Our free NIST SP 800-171 self-assessment tool automatically calculates your NIST SPRS score as answers are entered in the tool and is available upon request here. As a C3PAO candidate with years of experience in NIST SP 800-171 compliance, we also offer NIST SP 800-171 assessment services. Hiring an expert will ensure that your gap analysis and SPRS score is accurate.
Plan of Action & Milestones
Second, a Plan of Action & Milestones is expected to be in place. The Plan of Action & Milestones is a compliance remediation plan expressed in a format defined by DoD. The POA&M is informed by your assessment and details each deficiency, what will be done to remediate the compliance gap, and a timeline of when the gap will be remediated. The gap with the last remediation date is the “Plan of Action Date”, or the date when full compliance will be achieved. InfoDefense can work with your company to produce a POA&M based on deficiencies discovered during the assessment process.
System Security Plan (SSP)
Lastly, a System Security Plan must be completed. The SSP illustrates the detailed architecture of security controls required by NIST SP 800-171 and provides high-level compliance plans or evidence of compliance (depending on status) for all 110 requirements. InfoDefense can also produce this document for your organization based on the results from the assessment and POA&M.
Efficient, Cost-Effective Documentation
Security plans, assessments, and policies and procedures are a critical element of any NIST SP 800-171 compliance effort. A gap analysis, POA&M, and SSP documents must be produced to provide a foundation for NST SP 800-171 and CMMC compliance. The investment in time to prepare and review each document for accuracy will pay off as your organization moves closer to its CMMC assessment. If you do not have these documents in place and need efficient, cost-effective help, or you would like to have an external review of your current compliance efforts, contact us to speak with a compliance expert.
InfoDefense is an experienced NIST SP 800-171/CMMC compliance solution provider that can bring your organization to full compliance and ready for certification.