Healthcare Resolution Services wants to stress how vital it is for all organizations that contract with the DoD to verify that they meet compliance for both FAR 52.204-21 and DFARS 252.204-7012, which have been in place since 2017. Failure to do so will lead to the loss of active and scheduled contracts. HCRS doesn’t make this claim lightly. They experienced this concern roughly a year ago when the Defense Health Agency (DHA) notified them to submit a basic NIST SP 800-171 DoD assessment in the Supplier Performance Risk System (SPRS) for all covered contractor information systems, or DHA would not exercise the option years. This meant a potential loss of a $900-million IDIQ contract. Here’s what HCRS learned from the experience.
The Call
Brenda Doles, principal of HCRS, vividly remembers getting the notice. “It’s one of the worst wakeup calls you can ever have, and I was left flabbergasted. We’ve been helping government agencies at the local, state, and federal levels for 20+ years when it comes to their data management and compliance. We’ve been advocating for these crucial measures that were important even before CMMC was created to enforce them. And to be told at that time that we were missing a piece of that framework ourselves was eye-opening, to say the least.”
The Reason
Any contractor that processes, stores, or exchanges Controlled Unclassified Information (CUI) and/or Federal Contract Information (FCI) on behalf of the DoD is required to have CMMC certification via an independent assessor. HCRS was told that they needed to have a current assessment score in SPRS prior to task order renewal. Upon further review with their IT, it was determined that their internal resources, while highly competent, had not received training or certification specific to the upcoming CMMC accreditation process. “They were certain that they were compliant, but it turned out that we were missing critical policies, procedures, processes, and workflow tools needed to succinctly process, store, and transmit FCI and CUI according to the NIST SP 800-171 and CMMC requirements,” Doles explains.
Over the past year, HCRS coordinated with its managed service provider (MSP), which also serves as a Registered Provider Organization (RPO), to perform a third-party assessment of its NIST 800-171 compliance posture. Subsequently, they upgraded systems, secured CMMC-AB resources, and brought their company into compliance. They’re proud of the fact that they are now a Cyber AB-certified Registered Provider Organization (RPO) with credentialed resources on staff.
The Takeaway
Doles notes that this misunderstanding with IT has happened with other organizations they’ve partnered with. “Their departments swear they know it all and that they’re compliant. Then we review their networks and find one or more areas where they are not fully aligned with NIST SP 800-171 or CMMC, and their IT teams are surprised — probably as much as ours was the day we got that call.”
Doles also emphasizes the point of sharing this experience isn’t to cast blame or doubt on those IT departments. “These are new requirements. Without proper training, we can’t hold our employees accountable. NIST 800-171 entails 110 practice requirements that must be met. Organizations Seeking Certification (OSC) must submit two pieces of evidence per practice requirement to validate compliance. Such evidence must be adequate and sufficient as defined by the government. Fortunately, the scoring methodology used by DoD permits Plans of Action and Milestones (POA&Ms), which give 180-day extensions for any requirements that are not met at the time of an assessment. The point of talking about this is to make it clear to business owners that they shouldn’t treat the NIST SP 800-171 and CMMC requirements with complacency or arrogance, because there’s likely more work to be accomplished. Be proactive. Secure an RPO like HCRS to start with a gap analysis, prepare a SPRS score, develop POA&Ms as needed, and ultimately create a successful path to accreditation.”
Contractors that would like additional information regarding CMMC compliance are encouraged to contact HCRS.