Since November 30, 2020, the DFARS 252.204-7019 clause has required DoD contractors to complete a Basic Assessment of their compliance with NIST 800-171. A Basic Assessment is a self-assessment using your organization’s System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate your score out of NIST 800-171’s 110 controls. This score must be uploaded to the Supplier Performance Risk System (SPRS). However, Basic Assessments were just the beginning, and some recent announcements made by Mr. John Ellis, Director of the Defense Contract Management Agency (DCMA)’s Software Division and Co-Founder of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), signal the start of Medium Assessments.
What are Medium Assessments?
Medium Assessments are also an assessment of your organization’s compliance with NIST 800-171 but instead of being a self-assessment, Medium Assessments are conducted by DCMA’s DIBCAC. This will include a thorough investigation of your documentation like your SSP and POAM and include a review of your policies and procedures.
It is estimated that roughly 200 organizations will go through a Medium Assessment each year from randomly selecting from the over 19000 companies with scores in SPRS.
What do Medium Assessments mean for me?
If you’re among the organizations with a score in SPRS, Medium Assessments could mean receiving a call requesting the receipt of your organization’s SSP and POAM for investigation within the following few days, along with any additional supporting documentation like policies and procedures.
Can I really be penalized under the False Claims Act?
The short answer is yes, but this is nothing new. The False Claims Act (FCA) was first enacted in 1863 to penalize defense contractors for fraud during the American Civil War. It was also amended in 1986 to incentivize whistleblowers to come forward with fraud allegations. Where do you come in? Well, that part is relatively new. In early October 2021, the Department of Justice announced that a new Cyber-Civil Fraud Initiative would seek to leverage the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. Punishable offenses include knowingly providing deficient cybersecurity products or services, knowingly violating obligations to monitor and report cybersecurity incidents and breaches, and knowingly misrepresenting cybersecurity practices or protocols. This means that if a falsified score was uploaded into SPRS, you could be subjected to a civil penalty of up to $10,000. According to FedScoop, if any fraud on your behalf leads to a breach or damages to the government, you could be forced to pay triple the damages.
What do I do now?
This greatly depends on where you are in your process.
I don’t have a score in SPRS
If you haven’t uploaded your score into SPRS or developed your SSP and POAM, Ardalyst highly recommends getting started NOW! If you’re looking for DIY solution to walk your through scoring, check out our free NIST 800-171 Self-Assessment Tool. This step-by-step tool is a comprehensive guide to deliver your preliminary score out of 110 NIST 800-171 controls. Our team of CMMC-AB Registered Partitioners (RP) can also walk you through a free compliance consultation to provide a preliminary score and a summary report of their findings that you can incorporate into your SSP and POAM. From here we can make recommendations for next steps and help you get started with a comprehensive managed cybersecurity program.
I have a score in SPRS
Awesome! This is an important first step. With your SSP, POAM, and all policies and procedures handy, you’re ready to go if you’re one of the companies chosen for a Medium Assessment. If you have a score, but still need documentation, schedule your free consultation with our CMMC-AB RPs and get started quickly and accurately developing the proper documentation to be prepared for an assessment.
I’m freaking out about a possible assessment
Breathe! At 200 companies assessed per year, the likelihood of you being selected is roughly 1%. However, this won’t absolve you from having to meet the requirements, having all your documentation prepared, or needing to be ready for either a DIBCAC or a C3PAO assessment to achieve CMMC certification, so it’s best to tackle everything as soon as possible.
Wherever you are in your journey, we can help. Ardalyst services are also backed by our Assessment Guarantee. Should you fail an assessment, we’ll make the necessary changes to your program at no additional cost – we are behind you 100%! Contact us online at www.ardalyst.com, email us at info@ardalyst.com, or call us at (833) 682-8270 to get started and schedule your free consultation today.
