The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity framework for defense contractors that is being rolled out over five years. In the meantime, the Department of Defense (DoD) announced an interim rule requiring defense contractors to self-assess their implementation of the National Institute of Standards and Technology (NIST) Special Publication 800-171 cybersecurity controls and be subject to DoD audits.
Both CMMC and the interim rule provide huge opportunities for MSPs because financial penalties for noncompliance can be hefty. Many of the 300,000 defense contractors rely on their contracts to stay alive. Even those with a lower reliance on defense contracts don’t want to lose the profits. Failure to comply can result in cancelled contracts, being banned from future contracts, civil claims under the federal False Claims Act, and potential criminal penalties for fraud.
DFARS NIST 800-171 Interim Rule
The Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements are referenced in over 87% of defense contracts. Since 2017, the DFARS 252.204-7012 clause has required defense contractors to implement the 110 cybersecurity controls defined in NIST 800-171 to protect Controlled Unclassified Information (CUI).
Surveys and audits showed that most defense contractors had not complied with the DFARS requirement, however, so the DoD created CMMC, which requires them to pass an independent cybersecurity assessment to qualify for defense contracts. CMMC necessitates that an entire new ecosystem be developed from the ground up—building out the training materials and trainers, training and certifying assessors and consultants, and then assessing and certifying over 300,000 defense contractors—and will not be mandated in all defense contracts until FY 2026, which begins in October 2025.
Because of the long rollout, the DoD announced an interim rule in September 2020 that requires contractors to score their implementation of NIST SP 800-171 and post their score in the federal Supplier Performance Risk System (SPRS) database to get new defense contracts and renewals until CMMC takes effect. The interim rule became effective at the end of November 2020.
Scoring is based on a weighted scoring system where points for missing controls are deducted from the perfect score of 110 (the number of controls in NIST 800-171). Each control has been assigned a weighted deduction score of 1, 3, or 5 points. The score submitted to the federal database is good for three years, but ongoing compliance is required because the contractor must be prepared for a DoD or prime contractor audit at any time.
Negative scores are possible. For example, a new client asked for our help implementing the 34 controls they were missing. During our initial meetings they told us they had posted a score of 76 into SPRS by simply subtracting one point for each of their missing controls. After we began working with them, we accurately deducted the weighted scores for their missing controls and determined that their score was really –4.