To thine own score be true….
Cue the music from Jaws. As the deadline gets closer and closer, the once looming prospect of compliance regulation now is upon us. Parabilis has stayed on top of the latest news pertaining to the Defense Department’s handling of CMMC, and what we are seeing in the latest update deals with the required self-assessments that were recently registered by contractors in SPRS (Supplier Performance Report System). We have partnered with Cybersec Investments and CEO Fernando Machado to give you an update on what to expect, guidance on if you will be affected, and if so, the next steps to take.
The DCMA DIBCAC (Defense Contractor Management Agency / Defense Industrial Base Cybersecurity Assessment Center) is set to begin looking into companies that have provided self assessment scores into SPRS. This assessment will consist of a review of the system security plan (SSP) description of how each requirement is met to identify any descriptions which may not properly address the security requirements. Categorized as “Medium Assessments” these will be a paper review of minimal impact to contractors. DIBCAC will initiate contact to the designated contractor on a Monday and said contractor will be required to provide the already created SSP by Friday of the same week.
So what does this mean to you?
If your scores are deemed inaccurate based on the information provided, the next step is Corrective Action Requests (CARs). These CARs may result in the initiation of available contract remedies such as reduction of payments, cost disallowances, revocation of government assumption of risk of loss, or business management system disapproval, in addition to other actions.
What should you do?
As indicated in prior write-ups on this topic, you should be engaging and employing the services of a cybersecurity provider that has the proficiencies to assist your business. Additionally, you need to be clear that once you are designated by DIBCAC for this assessment, the remedy to deal with any inaccuracies will be imposed until you update your information and then can be reassessed for clarity of compliance. The time is over to contemplate whether or not this is really going to happen.
If you are not already receiving assistance from a CMMC expert, or you are not confident or happy with your current provider’s level of service, it would be best to contact Fernando and his team at Cybersec Investments. They are widely used as an industry expert as it pertains to CMMC and cyber compliance by numerous SBDC and PTAC offices throughout the country. You can follow them on LinkedIn for the latest news on this development or reach out to Fernando Machado and mention this blog to receive a free initial consultation fernando.machado@cybersecinvestments.us.