By Chor-Ching Fan

Under NIST SP 800-171, Department of Defense (DoD) contractors were considered compliant if they could demonstrate a plan for meeting security requirements at a future date. With a Plan of Action and Milestones (POAM) document outlining an action plan for implementing 800-171 security controls, contractors could achieve 800-171 compliance. The DoD used POAMs to assess and monitor the progress contractors made in correcting security weaknesses. NIST SP 800-171 allowed contractors to self-assess, making it easier for small- and mid-size businesses (SMBs) to achieve compliance. 

While 800-171 compliance started the ball rolling and helped contractors shore up some of their security controls, the DoD recognized that there was still work to be done. Citing the need for a more rigorous standard for cybersecurity to protect Controlled Unclassified Information (CUI), the DoD has announced that beginning in 2020, DoD contractors will need to comply with a new cybersecurity compliance standard: the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC will be a single standard for all DoD contracts, with five levels of CUI security, ranging from basic cyber hygiene to advanced. 


One of the most important takeaways from this announcement is that all DoD contractors will need to be certified by a third-party assessor for CMMC, eliminating the self-assessment option for demonstrating compliance. Additionally, with the introduction of the range of CMMC CUI levels to accommodate varying security needs of contractors, the individual levels will be hard and fast. Beginning mid-2020 the required CMMC level for a contract will be published in RFP sections L & M. POAMs will become a thing of the past…at least in the context of substitution for addressing a control requirement.  POAMs are still very much required for identifying weaknesses and driving action plans.  All DoD contractors must be certified at Level 1 or higher and every control required for a particular level must be implemented—no exceptions. 

The end of self-assessment and POAMs for DoD contractors increases the difficulty of achieving and maintaining compliance for many SMBs. With limited staff and financial resources, contractors need a solution that delivers a compliance tool backed by experts with over 20 years of experience. Rizkly’s cyber, data and audit compliance professionals designed the Rizkly app to help contractors achieve and maintain CMMC compliance with an easy-to-use cloud solution accompanied by an expert to advise you when you have questions or need help. 

Rizkly offers the perfect CMMC compliance solution for SMBs for one low monthly rate. We can help you navigate the requirements for CMMC certification and manage your compliance efforts more effectively. To learn more about Rizkly, please contact us. We’ll pick up the phone and give you a call.