Who, What, Where, When, Why, & How of CMMC
If you are involved in a Department of Defense contract as a prime or subcontractor, you are most likely required to meet the guidelines of the Defense Acquisition Regulations System (DFARS) Interim Rule and Cybersecurity Maturity Model Certification (CMMC). Chances are you have been recently contacted by a number of your customers inquiring if you have posted your assessment score in the Supplier Performance Risk System (SPRS). This can be quite overwhelming with a lot of questions and very few answers.
The purpose of this page is to briefly explain what this all involves and where Wolkerstorfer Company is at in the process. In other words, the Who, What, Where, When, Why, and How of Cybersecurity.
The Department of Defense (DoD) has, for the last few years, encouraged contractors to tighten up their protocol when it comes to handling Controlled Unclassified Information (CUI). A number of rules called Defense Federal Acquisition Regulations (DFARS) have been widely ignored by industry so the DoD implemented DFARS Interim Rule under DFARS Case 2019-D041, which will ultimately be called CMMC.
The requirement of companies that do business directly or indirectly with the DoD must comply with a number of rules or “practices” to ensure their company has the proper procedures in place to protect DoD documents.
In broader terms, the “where” is both at your facility, as well as within your system, to protect and secure CUI in your company.
Effective November 30, 2020, a company doing business directly or indirectly with the DoD must, at a minimum, do a self-assessment of their cybersecurity. That company must follow specific guidelines, and then post their score in the DoD Supplier Performance Risk System (SPRS).
As you are aware, the number of “bad guys” out to steal your personal information is at an all-time high. And the recent discoveries of Russian and Chinese hacks has put our National Security in a poor light. This is one of our “new norms.”
To combat this, businesses like ours and yours will be required to meet a number of practices or rules. We’ll then be in a position to prove it to a third-party auditor that our systems are in compliance.
Wolkerstorfer Company has completed our self-assessment and we have posted our score with SPRS. We are working on our Plan of Action and Milestones (POAM). It is our plan to be in full compliance well before the 2025 deadline.