CMMC, Understanding the basic ins and outsĀ
The Cybersecurity Maturity Model Certification, or CMMC, is one of the newer frameworks supporting cybersecurity.Ā CMMC directly correlates to supply chain management for the U.S. Defense Industrial Base (DIB).Ā Let’s look at a few fundamental knowledge points related to CMMC.Ā
What is SPRS?
āSupplier Performance Risk System (SPRS) ā…is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.ā (DoDI 5000.79).āĀ
SPRS is the platform that currently stores NIST SP 800-171 assessment scoring information.Ā Level 2 and Level 3 of the Cybersecurity Maturity Model Certification v2.0 (CMMC) assessment scoring information will also go into SPRS.Ā Companies doing business with the Department of Defense (DOD) will upload their CMMC 2.0 Level 2 assessment scores to SPRS.Ā Ā
There are training videos and instructions on accessing SPRS on the DOD website. This step is valuable as getting an SPRS profile takes time and patience.Ā I have included some of the basic steps below.Ā It does sound like a cumbersome process, but once it is all setup, the rest is easy to navigate.Ā Companies can view their scores in the SPRS environment but will not be able to view the scores of other companies.Ā SPRS scores are not released publicly under the Freedom of Information Act.Ā
How to log into SPRS?
- All users must register in Procurement Integrated Enterprise Environment (PIEE) and get approval to access SPRS.Ā Here is more about registering for an account on the PIEE system below.Ā
- Companies are required to have the āSPRS Cyber Vendor Userā role to be able to enter or edit information in SPRS.Ā
- A header of āHighest Level Owner (HLO)ā will be allocated or can be created.Ā
- Now use the āadd new assessmentā tab to an assessment.Ā
Logging into PIEE?
- Companies need to complete the registration process to get account approval.Ā
- Agree to the Privacy Statement.Ā
- Select the āVendorā tab. The drop-down menu will provide options for authentication.Ā
- Complete the following: User Profile, Supervisor / Agency Information, Role, Justification, Summary, and Agreement.Ā
- Complete the āRolesā fieldĀ by accessing āMy Accountā in the header field and selecting āAdditional Roles.āĀ
- The button for SPRS on the PIEE landing page will not be active until your access is approved.Ā Ā
- Check your approval status by clicking āManage Rolesā in āMy Account.āĀ
Okay, I registered on PIEE and SPRS; now what?
If you assessed CMMC 2.0 Level 1, you must upload an attestation.Ā CMMC 2.0 Level 1 will not use a weighted scoring system, so you cannot upload a weighted score to SPRS.Ā CMMC 2.0 Level 1 compliance will only be valid if all practices for this level are Met.Ā A yearly attestation and an annual affirmation from a senior company official are needed.Ā We will know more about this once the rulemaking phase ends and there are templatesĀ for the attestation and affirmation.Ā
Level 2 assessments have a weighted score for each practice.Ā There are 110 practices.Ā Each company can have a perfect score of 110 if all practices are Met.Ā Scores are deducted from 110 for practices not met.Ā This approach can very possibly result in a negative score.Ā Companies do not upload the scores per question but upload a total score.Ā It is crucial to continuously update the score as significant events in a companyās security posture occur.Ā All practices that are not Met and thus harm the score need to be accompanied by a POA&M. Scores below 80% are not compliant.Ā Companies with scores above 80% but not 100% mustĀ Ā Remediate all issues within a specified period.Ā This period will be defined as soon as the rulemaking phase is complete.Ā
Level 2 CMMC Assessments are assessed every three years by a third-party company.Ā This assessment carries a weighted score for all 110 practices of the CMMC 2.0.Ā During the interim years, a company still submits a level 1 CMMC 2.0 Self-Assessment attestation and affirmation by a senior company official.Ā Once the rulemaking is final, we will know exactly how much weight each practice will carry and how the weighted scoring will influence the CMMC 2.0 Compliance.Ā
Forty-four practices carry a weight of 5, fourteen practices with a weight of 3, fifty-one practices weighĀ 1, and one practice has a total weight score of 110.Ā With this knowledge, one can see how easy it is to get a negative score.Ā
CMMC, NIST SP 800-1741, DFARS, I am lost!
You are not alone.Ā But navigating through the weeds is easy with a certified Security consultant by your side.Ā The first step is to know the difference between CMMC, NIST SP 800-171, and DFARS.Ā Ā
NIST SP 800-171 is standard and has recommendations on cyber security.Ā DFARS requires that companies dealing with the DOD follow the NIST SP 800-171 standard.Ā NIST SP 800-171 has 110 controls.Ā
DFARS, the Defense Federal Acquisition Regulation Supplement, is based loosely on NIST SP 800-171 and was released in 2016.Ā DFARS is a set of regulations required to be in place if a company wants to bid on DOD contracts to bolster contractorsā cybersecurity requirements.Ā In 2019 the DOD released the first version of CMMC.Ā Initially, the DOD announced that the CMMC framework would be replacing DFARS.Ā This situation caused some panic in the contractor environment.Ā The DOD later clarified that DFARS compliance would remain fundamental to the new regulations.Ā Both frameworks apply to all DOD contractors and suppliers.Ā The main difference is that DFARS does not have maturity levels.Ā In the future, contractors will only be allowed to bid on contracts with the same maturity level as the one they are certified on. A contractor could potentially be DFARS compliant but not be able to bid on a level 2 contract because they are only CMMC level 1 compliant.Ā
CMMC certifies that companies comply with the NIST SP 800-171 standard.Ā CMMC has three levels of compliance certification called maturity levels.Ā At the highest level, there will be more than 110 controls.Ā CMMC is more comprehensive than DFARS and easier to impose.Ā CMMC has a better alignment with todayās threat environment.Ā Ā Ā
Contractors should strive to meet the NIST SP 800-171 standard imposed by DFARS at Level 2 maturity and get validated by an Independent third-party assessor to prove they have a resilient cyber security posture.Ā
Conclusion
Companies following the NIST SP 800-171 Standard and having DFARS in place should have no problem getting CMMC compliance.Ā Companies need to remember that NIST SP800-171 is a non-federal regulation not specific to the DOD.Ā NIST SP 800-171 rev 3 includes 17 NFO (Non-Federal Organizational) controls.Ā This conclusion does not mean companies can ignore those controls.Ā The NFO controls are considered fundamental and represent due care and diligence.Ā CMMC is a robust compliance program that protects information shared between companies and the DOD and all info about DOD dealings generated and stored by companies.Ā CMMC implementation will result in a more defined, clear set of rules for companies to adhere to.Ā Ā
If you would like more information on our CMMC services, you can visit the CMMC page.Ā
To purchase a CMMC assessment order at our online store.
