Email Iconinfo@coreitx.com
Call Icon+1.888.851.5253

Getting Ready for New CMMC Requirements Now

April 7, 2021

Right off the bat, we’re here to tell you that anyone promising you a sure-shot solution to all your CMMC woes is trying to pull a fast one on you. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive move by the U.S. Department of Defense (DoD) that involves a lot of moving parts that have not been finalized yet. In fact, with the planned rollout of the new CMMC requirements scheduled to take place over the next five years (through to 2026), you should expect a few changes or bottlenecks along the way.

Despite the long implementation timeline, your business cannot afford to fall prey to misinformation or hope for a mythical magic bullet that will put an end to your CMMC woes. There’s absolutely no reason for you to wait until the last minute to implement the new security controls in hopes that everything will be clearer or totally in order by then. You need to seek accurate information with respect to your current cybersecurity maturity stance and what you should start preparing for. You should be implementing these changes within your business immediately to ensure you will be ready for the imminent changes to your eligibility as a contractor or supplier for the DoD and other federal entities.

We have highlighted some important aspects you must focus on now to remain eligible and in good standing with current regulatory requirements. In addition, we’ve also listed some strategic steps that you should immediately implement throughout your business to be ready for the enhanced cybersecurity practices required under the new CMMC framework.

The DFARS Interim Rule

Since new requirements under CMMC will not be fully rolled out until 2026, the Interim Rule was established by the Defense Federal Acquisition Regulation Supplement (DFARS) to immediately establish a push for the DoD Assessment Methodology component of the CMMC framework to get a measure of contractor implementation of the existing cybersecurity requirements. DFARS Case 2019-D041, effective November 30, 2020, states that the Interim Rule mandates all DoD prime contractors and the estimated 300,000 plus members of the DIB supply chain to perform a basic self-assessment of their current cybersecurity posture and document their results in the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/?.

All contractors and subcontractors, having existing contractual obligations with respect to the NIST SP 800-171 framework standards, must complete a self-assessment that measures their organization’s implementation regarding the NIST requirements using the standard assessment and scoring methodology. The assessment score must be uploaded to the federal Supplier Performance Risk System (SPRS) database in addition to other requested or required documentation records.

To help you better understand the DFARS Interim Rule requirements, you must familiarize your organization with these important components:

  • Self-assessment: It involves evaluating the implementation of 110 different cybersecurity controls defined by the NIST SP 800-171. While DFARS clause 252.204–7019 requires organizations to perform these self-assessments with the existing DFARS clause 252.202-702, DFARS 252.204-7020 outlines the NIST (SP) 800-171 DoD Assessment Methodology that you must use to conduct the self-assessments.
  • Scoring methodology: The scoring methodology begins with a “perfect” score of 110 for each NIST (SP) 800-171 control, which the organization must implement. Points are deducted for every control that has not been implemented. Each deduction holds a point value ranging from one to five based on the individual control’s importance. No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption.
  • Submission of the score: You must upload the self-assessment score to a governmental Supplier Performance Risk System (SPRS) database within 30 days of completing the assessment.
  • System Security Plan (SSP): It is a document that contains thorough details of implemented NIST 800-171 controls such as operational procedures, organizational policies and technical components.
  • Plan of Action and Milestones (POA&M): If you have not fully implemented any control, you must provide a POA&M document as an appendix explaining how you plan on addressing the deficiencies and by when you will complete the implementation. You can post updated scores once previously deficient controls have been addressed and remediated.

Eligibility to win all new federal or defense contracts issued after December 1, 2020, will include requirements with respect to the completion of the Interim Rule standards. This essentially means the deadline for conducting a self-assessment and uploading your score and documentation to the SPRS database was yesterday (yes, you read that right) if your organization intends to accept any DoD or federally related contracts moving forwards.

Immediate Steps to Take

If not already completed, your organization should prepare to conduct a thorough and accurate self-assessment to measure your cybersecurity posture score as soon as possible to ensure you are adequately securing and protecting your information assets. This is the first step in preparing for the more enhanced cybersecurity requirements and certification process rolling out under the new CMMC framework. To ensure you don’t miss out on any new contracts or renewal opportunities, you need to start preparing and implementing the necessary security controls and policies now.

Here are some steps you need to take to prepare your organization right away:

  • Establish a Systems Security Plan (SSP): Building an SSP will help you map your network and information assets (hardware and software) and will mark the beginning of you knowing how many controls (out of the 110) your business has implemented so far.
  • Assess how you deal with controlled unclassified information (CUI): Ask yourself questions on how your business manages CUI — who accesses it, where CUI lives, how it is shared, etc.
  • Conduct a DoD self-assessment: You can utilize a tool to conduct a self-assessment and obtain a score as per the NIST (SP) 800-171 DoD Assessment Methodology.
  • Build a POA&M Document: In this document, list all the steps you will take to mitigate the deficiencies that prevented you from getting a perfect score of 110 (along with estimated completion time).
  • Upload the self-assessment score: Do not forget to upload the results to the governmental SPRS database within 30 days of conducting the self-assessment, along with SSP and POA&M.
  • Document everything: This step is non-negotiable. Ensure you document every important aspect of your journey — from preparation, to self-assessment, to remediation.

The enhanced cybersecurity policies, controls and standards within the CMMC regulatory framework are vast and complex, making understanding your obligations and how or where to get started a daunting and overwhelming task. Partnering with a specialist can help make the overall process less stressful and time consuming. At our firm, we can provide you with the specialized tools and cybersecurity expertise you need to help you prepare for and implement the cybersecurity controls necessary to satisfy and validate compliance for both the DRARS Interim Rule and new CMMC requirements.

Article curated and used by permission.

Recent Post

November 24, 2025

Holiday Tech Etiquette for Small Businesses (or: How Not To Accidentally Ruin Someone’s Day)

During the holidays, small businesses must maintain proper tech etiquette to avoid frustrating customers who are already stressed with end-of-year activities. Key practices include updating online business hours across all platforms (Google Business Profile, Facebook, Instagram, Yelp, and website banners) with clear, friendly messaging about closures. Setting human-sounding out-of-office email replies helps maintain customer relationships while avoiding oversharing personal details that could create security risks. Testing phone systems ensures voicemail greetings match current hours and provide clear instructions for urgent matters. For businesses that ship products, communicating shipping deadlines early and prominently prevents disappointed customers. These simple tech manners - updating hours, crafting friendly auto-replies, protecting privacy, testing communication systems, and setting clear expectations - demonstrate respect for customers' time and help maintain positive relationships even when the business is closed. Good holiday tech etiquette prevents customer frustration and protects business reputation during the crucial holiday season.
Read More
November 17, 2025

Holiday Scams in Disguise: What To Watch Out for When Donating Online

During the holidays, scammers exploit generosity by creating fake charity campaigns and fraudulent fundraisers. These scams can cost small businesses money and damage their reputation if they unknowingly support fraudulent causes. Red flags include pressure to donate immediately, requests for payment via gift cards or wire transfers, vague information about fund usage, and impersonation of legitimate charities. To protect your business, establish a donation policy with approval thresholds, educate employees about scam tactics, verify charities through official websites, and monitor how donated funds are used. Legitimate charities provide transparent financial information and accept standard payment methods. By implementing these safeguards, businesses can maintain their goodwill while avoiding financial loss and reputational damage from charity scams.
Read More
November 10, 2025

Tech Wins That Actually Made Small Business Life Easier This Year

In 2026, several practical technology tools genuinely improved small business operations. Automatic invoice reminders through platforms like QuickBooks, FreshBooks and Xero reduced payment times from 45 to 28 days, easing cash-flow stress. AI tools such as ChatGPT, Claude, and Microsoft Copilot handled administrative tasks like drafting emails and job descriptions, saving owners valuable time while preserving human decision-making. Simple cybersecurity measures, including multifactor authentication and password managers, enhanced security while streamlining logins. Cloud tools enabled true mobility, allowing business owners to access documents and close deals from anywhere. Communication platforms like Slack and Microsoft Teams reduced email clutter and facilitated quicker team collaboration. These tools succeeded because they solved real daily problems rather than adding complexity, proving that the best tech isn't the flashiest—it's the stuff that quietly saves time, protects businesses, and keeps people happy.
Read More

Location

Location
440 Cobia Dr,Unit 1101,Katy TX 77494 USA
Location
1st Floor, Badheka Chambers 31, Manohardas Street, Fort, Mumbai 400001 INDIA
Location
Office Number – 703, Rajhans Montessa, Surat Dummas Road, Surat 395007 INDIA

Services

Cloud ServicesCloud ConsultingCloud Monitoring & ManagementCloud Integration & Migration
Cyber Hygiene for SMBs
Remote Infrastructure ManagementNetwork ServicesRemote Monitoring and ManagementManaged Security ServicesEmail ServicesBackup & DRaaS
IT Professional ServicesManaged Hosting ServicesIT Audit & GRC ServicesIT Application Development ServicesCybersecurity Services

Solutions

Cloud + Data Center Transformation SolutionsIT Infrastructure SolutionsDigital Operations Solutions pagesCyberSecurity Solutions

Quick Links

Privacy PolicyContact UsCareersBlogsBrochuresInfographicsWhitepapersKnowledge baseMaster Services Agreement (current)
LinkedInFacebookInstagram
© 2025 Core Technologies Services, Inc. All rights reserved.