CMMC News Rollup – October 25, 2020

Hello all,

Here are the latest third party articles and topics regarding CMMC, DFARS, and NIST 800-171 compliance.

Best of luck in your compliance journey! – Amira

DFARS 7012 , 7019, 7020 DoD Self Assessments Due

This list has some ‘dumb’ questions and some ‘smart’ questions, based on my conversations with contractors in the last few weeks. There isn’t enough guidance from DoD Acquisitions. The main spokespeople are focused on CMMC so it seems like they don’t feel authoritative about the NIST 800-171 requirements. No one else is giving public advice. Help!

How do I submit my organization’s DoD self assessment??

How does a contractor get access to SPRS if we weren’t registered before? Who do I talk to for access?

Can subcontractors get access to SPRS, or only primes? Are primes supposed to submit on behalf of subcontractors?

What method should be used to send an encrypted email to ? To send encrypted email, the sender needs to have the public key certificate of the destination email account. Where can this certificate be found?

If we manage to send an encrypted email correctly, how long will it take for it to be posted into SPRS?

Is the message only supposed to be summary information as listed in the rule, or are any documents supposed to be attached, such as SSP or POAM?

If my organization doesn’t have CUI on our systems (we use Gov or partner systems for CUI), should we submit something? What should we submit?

If multiple CAGE codes or multiple contracts use the same information system, how do we explain this in the submission?

Should clouds used to store, process, or transmit CUI be included in the self-assessment? (Amira’s comments: Since NIST 800-171 is focused on internal systems, a strict reading would ignore cloud evaluation. Why didn’t they ask for a DFARS 252.204-7012 self assessment?)

Lots of questions with a near deadline. If anyone can provide guidance or links to guidance, I will forward it out and give you full credit for the information. We need step-by-step instructions that a small business can perform. Please assist if you can.

Update on SPRS registration

We are already getting some informal answers from industry members. See this page for step-by-step SPRS registration screenshots and answers to some of the above questions.

Ransomware Guide – recommend adding to your Incident Response planning / drills

“The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released a joint Ransomware Guide that details practices that organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The in-depth guide provides actionable best practices for ransomware prevention as well as a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.”

When will Certified Assessors be able to start?

From Daniel Bjorklund – he asked when Certified Professional training is expected and got a response from CMMC-AB that it is due 2021 Q1.

Certified Professional (CP) is the first tier toward becoming a Certified Assessor (CA). A CP is able to participate on assessment teams. A CA is allowed to lead assessment teams.

CMMCaudit.ORG is tracking training providers. We’ve heard from one provider that they are starting registration for CP boot camps, pending course approval by the CMMC-AB.

If you are a training provider and want to get your current status listed, please reply to this newsletter and let us know.

Cyber Awareness Training from the DoD (free)

While you should review the training yourself to make sure it is adequate, to my read, it covers the major points for awareness training through CMMC level 3.

CUI Training from the U.S. Government (free)

Federal News Network – critique of CMMC program

New resources for threat intelligence, CUI, CMMC-COA

Our most popular article: Policy templates and tools for CMMC and 800-171 has new recommendations for Threat Intelligence feeds, the new DoD CUI website, and the CMMC Center of Awesomeness (high-density excel spreadsheets, diagrams designed for cybersecurity pros)

Comments starting to be posted for DFARS Interim Rule

Reading the comments from small businesses is heartbreaking.

I think that secure systems (fully managed, sized for small companies) will be available in a few years (writing an article on this topic soon), but right now it is a very expensive lift. If you are a small business, I recommend brainstorming ways to stop handling CUI on your information systems. This is the only “easy button”.

Leave a Reply

Your email address will not be published. Required fields are marked *