CMMC 2.0 and
NIST 800-171 Compliance

If you contract business with the U.S. Department of Defense as either a prime or tiered subcontractor, and you handle “Covered Defense Information” (CDI) or “Controlled Unclassified Information” (CUI), DFARS 252.204-7012 requires you to protect it by implementing the NIST 800-171 cybersecurity standard. 

You must also implement a Cyber–Incident Response plan to manage and report malicious cybersecurity events to the DoD when they occur.

You must also perform a self-assessment to determine where you’re at with implementing these requirements and report your status to the DoD’s SPRS website (DFARS 252.204-7019 & -7020)

It’s fair to say that the recent DoD directive (DFARS 252.204-7024) that requires Contracting Officers to evaluate SPRS submittals (or lack thereof) arose because of the inadequate response to meet requirements. 

So, you risk losing your DoD contract work opportunities.  (The DoD’s Memo on June 16, 2022) states that failure to have or to make progress on a plan to implement NIST 800-171 requirements may be considered a material breach of contract requirements. 

DoD penalties & fines include: 

• Withhold progress payments,
• Forego remaining contract options, and 
• Contract termination in part or in whole.

False Claim Act (FCA) Prosecution:

If you falsely state you comply with DFARS 7012, the Department of Justice (DoJ) could charge you under the FCA. The most egregious non-compliance penalties include litigation and financial penalties that exceed $2 billion in fiscal year 2022.

If you’re just starting with NIST 800-171 and CMMC, contract a Gap Analysis with a reputable, authorized C3PAO Company. You’ll know with certainty where you’re at and what you need to do to become compliant.  Don’t waste time filling out a prefabbed NIST 800-171 template. It won’t fit your business, and you’ll go astray.

Many Defense Industrial Base companies have implemented cybersecurity protections but haven’t developed the depth and documentation required to pass an independent CMMC assessment.  Our CMMC Gap Analysis service identifies your deficiencies in the 320 assessment objectives of NIST 800-171’s practices. We provide recommendations and offer additional assistance with the best and most cost-effective way to achieve full compliance.

If you’re close to full compliance, consider a mock assessment or a Joint Surveillance Voluntary Assessment to elevate your status as a trusted business partner in the eyes of the DoD and prime customers.

Your cost to create and implement a CMMC compliance program depends on size and complexity.  Factors include:

• Industry Type
• Company size
• Number of CAGE Codes
• CMMC Level Requirement
• IT Environment:  Cloud, on-Prem, hybrid
•  Number of employees that need to handle defense information
• Current state of compliance

If you’re unsure that you have enough DoD contract opportunities to justify investing in a CMMC compliance program, we can help you develop a cost-benefit analysis.Are you looking for help with NIST 800-171 and CMMC compliance? Let’s talk. We provide no-cost initial consultations.