Bringing it all together
By this point, we have covered the differences between DFARS 252.204-7012 and FAR 52.204-21 as well as CMMC and NIST SP 800-171. Now we are bringing it all together and talking about how all of the frameworks overlap and how to comply with them.
The control overlap
As we now know, if you are complying with DFARS 252.204-7012, then you are also going to be covered for FAR 52.204-21. Also since DFARS 252.204-7012 directly calls upon NIST SP 800-171, we know that you will be complying with NIST SP 800-171 as well. Another key point is that since we now know CMMC level 1 is entirely within NIST SP 800-171 controls, we are also going to be ready to entertain a CMMC Level 1 audit. So by just complying with DFARS 252.204-7012, we cover all of NIST SP 800-171, FAR 52.204-21, and CMMC level 1 controls. CMMC level 3 also is heavily covered (needing only 20 more controls outside of the 110 in the NIST framework). However, this does not mean that all of them are certified just by complying.
The certification
The DoD has a specific methodology for assuring compliance with the NIST SP 800-171 controls and CMMC has its own auditing body as of right now. Your scores can be self-attested or audited in various depths (medium or high assurance) by the DoD. Regardless, your scores will need to be uploaded to the Supplier Performance Risk System (SPRS). (Note a basic assessment can be sent to webptsmh@navy.mil if there is no score not older than 3 years on file). DFARS 252.204-7019 shows the assessment requirements for the NIST SP 800-171 framework implementation. CMMC is a different certification that requires an auditor to come and verify your CMMC implementation level. The controls overlap heavily, but, as of writing this, your SPRS score cannot be substituted for a CMMC certification. There is no certifying body solely for FAR 52.204-21, but having your score in SPRS will more likely than not cover that federal clause. We would recommend asking an expert to be sure. Trawvid Sec is always available to clarify any questions your business may have. However, at an arms-length, it is safe to say that you will need to go through at least two certification processes (one for DoD compliance to NIST and another for CMMC) to achieve compliance with all 4.
What this means to a small medium-sized business
The constant appearance of government clauses and mandatory cybersecurity compliance appears daunting, but, with a good understanding of how they all play into one another, the objectives seem less lofty. There is significant overlap amongst all 4. If you need any help piecing together your compliance packages to present for a federal acquisition, Trawvid Sec can help. Our goal is to make sure you can accept contracts without interrupting your business flow.
Ещё видео!