Should defense contractors and subcontractor pursue NIST sp 800 171 or CMMC compliance now?
For Defense Contractors – Pursue NIST 800-171 or CMMC Now?
Should a defense contractor or subcontractor do NIST 800-171 or CMMC now? Interim DFARS clause 252.204-7019 and -7020 requires prime and sub-contractors to comply with NIST 800-171 compliance and submit Assessment Summary Level Results to DoD SPRS. Please “LIKE” this video and “SUBSCRIBE” to our channel to receive notifications when we release new videos like this. You can find us on LinkedIn at: https://www.linkedin.com/company/klc- Thank you for watching! #nist800171 #cmmcInterim DFARS clause 252.204-7019 and -7020 requires prime and sub-contractors achieve NIST sp 800 171 compliance and submit their Assessment Summary Level Results to DoD SPRS.
Let’s take a look at a frequently asked question…
Should I pursue NIST sp 800 171 or CMMC now? Simple answer: If you handle controlled unclassified information right now – from October 2020 to September 2025, you should become NIST sp 800 171 ready first. CMMC will require less effort.
CMMC will be implemented in phases
Why? Because the DoD is phasing in CMMC requirements during calendar years 2021 – 2025. Until then, your DoD contract officer verifies your NIST SP 800 171 compliance prior to contract renewal or new award. The interim DFARS rules, effective November 30, 2020, has included DFARS 252.204: 7019-7020 stating that contractors and subcontractors who process or handle CUI must submit their assessment results (assessment summary level score) to the DOD Suppliers Performance Risk System (SPRS). If you handle CUI, a contract officer cannot award you a new contract including options or renewals of existing contacts if you do not have a submission in SPRS.
If you are now in compliance, you should have most of the 110 practices completed. Otherwise, you should have a plan of action with a date to be completed; with practices not yet implemented. Finally, to go from NIST sp 800 171 compliance to CMMC maturity Level 3 ready will take little additional effort, as CMMC Level 3 builds on top of that foundation and requires only 20 additional practices.
My name is Kyle Lai, president and chief information security officer at KLC consulting. Please contact us if you have any questions or need assistance with NIST 800-171 or CMMC. You can email us at CMMC@klcconsulting.net. Thank you for joining us today.
For more information about CMMC Level 3 requirements, please visit our recent blog post.
To see our CMMC services page please click here
To watch our CMMC discussion video please click here
Please visit our YouTube Channel for other free resources and cybersecurity discussion topics. LIKE and SUBSCRIBE!
And please visit us on LinkedIn.