While there is still some time to get onboard and prepare for the CMMC certification, the government released an interim requirement that becomes effective November 30th 2020. See https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.

The interim rule requires: “…a company must (1) implement 110 security requirements on their covered contractor information systems; or (2) document in a “system security plan” and “plans of action” those requirements that are not yet implemented and when the requirements will be implemented. All offerors that are required to implement NIST SP 800-171 on covered contractor information systems pursuant to DFARS clause 252.204-7012, will be required to complete a Basic Assessment and upload the resulting score to the Supplier Risk Management System (SPRS)”.

Affected will be 10’s of thousands of companies (see level 3 and above in the DoD projections below).

YearLevel 1Level 2Level 3Level 4Level 5Total
1665110335001,110
23,3235551,661225,543
311,0861,8485,5434418,485
421,2483,54210,6246635,426
521,2453,54110,6237735,423
621,2453,54110,6237735,423
719,1803,1979,5907731,981
1-797,99216,33448,9993333163,391

As far as industries affected, the DoD projects that “The top five NAICS code industries expected to be impacted by this rule are as follows: 541712, Research and Development in the Physical, Engineering, and Life Sciences (Except Biotechnology); 541330, Engineering Services; 236220, Commercial and Institutional Building Construction; 541519, Other Computer Related Services; and 561210, Facilities Support Services. These NAICS codes are the same as the DoD Assessment NAICS codes and were selected based on a review of NAICS codes associated with awards that include the clause at FAR 52.204-21 or DFARS 252.204-7012.”

Actifile routinely helps its SMB/SME customers self-assess NIST 800-171 by discovering Controlled Unclassified Information and making sure the information is tracked and protected (including using AES256 encryption) and removed upon completion of the projects.

Furthermore, it helps the MSB/SME and their MSPs understand which devices house CUI, helps them consolidate the CUI, and helps redirect cybersecurity to those devices that matter.

So don’t risk getting access to government contracts: Ask your MSP about NIST 800-171 readiness today.