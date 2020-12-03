New mandate as of Nov. 30 requires all defense contractors and subcontractors to perform a self-assessment on the 110 security controls of NIST SP 800-171, as part of the five-year CMMC rollout

By Oct. 1, 2025, the more than 300,000 non-federal organizations that comprise the Defense Industrial Base will be required to obtain the new Cybersecurity Maturity Model Certification (CMMC) at one of five levels dependent on their specific contract. To bridge the gap until CMMC is completely rolled out over the next five years, the Department of Defense (DOD) released an Interim Rule that went into effect this week on Nov. 30, designed to improve the reporting and compliance requirements of the current DOD cybersecurity standard in place by leveraging NIST (SP) 800-171.

Enhancements to the Kaseya Compliance Manager CMMC module guides defense contractors and subcontractors through the now mandatory NIST (SP) 800-171 Self-Assessment, which covers 110 security controls. The software then automatically scores the assessment using the DOD’s proprietary scoring rubric and generates the required System Security Plan (SSP), which must be uploaded to the federal government’s SPRS system.

“The impact of the DOD’s new interim ruling has sweeping consequences. Every contractor and subcontractor who does business with the DoD must perform the NIST (SP) 800-181 compliance assessment using the DoD’s scoring methodology if they want to continue doing work with 7019/7020 clauses,” said Max Pruger, General Manager, Compliance Practice at Kaseya. “Performing and documenting the required self-assessment is a tremendous undertaking that most SMBs are not equipped to do on their own. As such, MSPs have a unique opportunity to help these businesses perform their interim assessments, and prepare for their CMMC third-party audit at the same time. With Kaseya Compliance Manager for CMMC, MSPs can collaborate with their clients to manage the compliance process, offer remediation services for vulnerabilities found during the self-assessment, and provide evidence of compliance for the third-party auditor.”

With the help of Kaseya Compliance Manager, the MSP or SMB undergoes the same vetting process performed during the third-party assessment. As the requirements of each CMMC level build on those of the previous level, Compliance Manager for CMMC allows MSPs and SMBs to perform each individual assessment in sequential order to identify and remediate issues before the actual certification audit.

“The DOD plans to release more Requests for Information and Requests for Proposals with CMMC requirements each year, starting with 15 in 2021 to eventually all of them by 2025,” added Pruger. “As a result, those contractors and subcontractors who achieve CMMC certification earlier have the best chance to win more contracts. In some cases, the MSPs themselves may also be required to obtain CMMC certification if they service clients with Controlled Unclassified Information (CUI). Kaseya Compliance Manager for CMMC is purpose-built to automate the rigorous cybersecurity assessment and documentation process outlined by the DoD so that SMBs and MSPs can proactively ready themselves to bid for these highly competitive contracts.”

Kaseya Compliance Manager is updated continuously to keep pace with the ongoing roll-out of the various CMMC developments. Currently, Compliance Manager supports the NIST (SP) 800-171 self-assessment and CMMC Level 1 and Level 2 assessments with CMMC Level 3 assessment to be available in Q1 2021. CMMC for 800-171 assessments, including the automatic scoring engine, automated SSP documentation and the required Plan of Action and Milestones (POAM), all will be available later this month.

