The DoD Interim Rule: Act Now, Prepare, or Delay?

The CMMC roll out is now behind the initially planned schedule as it is currently under review at the DoD. Industry associations came together and wrote a six page letter to DoD officials outlining their support of the CMMC, but with some recommendations. Click here to read the full letter.

MISI has been providing assistance to DoD supply chain small businesses by helping them develop preparedness strategies to recover from cyber-attacks, such as ransomware. This assistance includes developing, testing, and implementing an incident response and recovery plan.

On September 29, 2020, the DoD published an interim rule (effective November 30, 2020) codifying: (1) the NIST SP 800-171 DoD Assessment Methodology; and (2) the CMMC Framework. This bolted on DFARS clause 252.204-7012, the interim rule includes the following:

Action 1. DFARS provision 252.204-7019, which requires contractors to complete a NIST 800-171 assessment at least every three years and post the results to the Supplier Performance Risk System (SPRS) in order to be considered for award. 

Action 2. DFARS clause 252.204-7020, which requires contractors to provide the DoD access to their systems, facilities, and personnel in order to validate NIST 800-171 compliance via an independent assessment. 

Action 3. Contractors are also responsible for ensuring that their subcontractors supporting a potential DoD contract also have completed a NIST 800-171 assessment and have posted the results to SPRS prior to award. 

DFARS clause 252.204-7021 refers to the CMMC requirements.

We advise and support DoD supply chain small businesses to comply with DFARS provision 252.204-7019 and DFARS 252.204-7020 and ensure that their subcontractors also have completed the NIST 800-171 assessments and uploaded them to the SPRS system.

We also remind all our customers that while we don’t know exactly how and when the DoD is going to push out the CMMC final compliance requirements—everything you do relative to Actions 1-3 as listed above accelerates your CMMC readiness and compliance with immediate mandates. Cyber compliance and readiness is not a one and done deal. You must keep up with your compliance readiness until you are assessed, and of course after you are assessed. You do not want to get caught unprepared.

How does MISI help?

• We have a number of staff that are trained and experienced to provide DFARS cyber compliance support.
• MISI has a roster of cyber defense and cyber threat analysts that can assist you with vulnerabilities and active threat mitigation.
• MISI’s cyber compliance coaches are versed in cyber, the CMMC, and NIST. They can help develop your polices and get you through each control with the appropriate evidence needed in the event of an assessment.
• MISI has a FedRamp, impact level 4 AWS cloud software that provides the mechanism to get through the NIST and CMMC controls and allows you to securely load your policies and compliance evidence. The software also tracks your vulnerabilities, vulnerability mitigation progress, and is updated every few minutes with vulnerability data from your network.
• MISI’s cloud hosted platform is also used by our penetration team to run penetration testing campaigns against your network almost daily to search for exploitable vulnerabilities and discover compliance gaps.
• MISI’s MSOC is a cloud-hosted Elastic SIEM with XDR, artificial intelligence, and machine learning capabilities that help the MISI team hunt for active threats. The team analyzes threats and notifies customers after analysis.

Subscribers to the MISI suite of individual or bundled services get continuous support. If the business has contracted with an MSSP, or other technology services provider, our team works with them under supervision of the customer. The team also support prime and contracting officer cyber compliance surveys.

A few interesting facts:

• MISI is a 501 (C4) not for profit.
• We are always on the hunt for technologies that can help meet DoD cyber compliance requirements in a cost effective manner.
• MISI has been providing cyber resilience and compliance services to DoD mentor protégé program participants since 2019 as part of DoD’s Project Vigilis, for which MISI is the prime contractor. Small businesses can sign up for the DoD mentor protégé program by working with the various DoD small business offices.
• MISI has special expertise in control systems (ISC/SCADA) technology used by DoD manufacturers for facilities and other critical infrastructure related functions. MISI is always testing new technology, malware, and defensive technologies in our critical infrastructure lab that utilizes physical assets and simulators.
• MISI is a provider of cyber resilience and compliance services to a number of the nation’s Manufacturing Extension Partners (MEPs). MEPs are independent, mostly not for profit, or state organizations formed to support all small businesses (some states) but mostly manufacturers. The MEPs provide subsidized or cost reimbursement for approved cyber compliance technology and services. MEPs are supported through grants by the state, DoD, or NIST in order to meet their cyber compliance needs.
• Small manufacturers and businesses should check with the their state’s MEP to learn more about available funds to help cover the cost of cyber compliance and remediation.
• MISI is an official supplier of cyber services to small DoD supply chain manufacturers in collaboration with the Florida MEP, Virginia MEP, and Indiana MEP, just to name a few.
• MISI is supporting a number of small businesses critical to a variety of DoD missions.
• The MISI staff supporting the DoD small businesses are all US citizens, background checked, and many have DoD security clearances at various levels.

MISI’s services and solutions are set up as an in-cost sharing model, which helps to distribute and lower the cost of the technology solutions provided.

Don't delay! Act now and prepare your business for CMMC compliance with MISI.