Small and medium-sized businesses face a daunting challenge in supporting our nation’s military needs. Complying with the ever-changing cybersecurity regulatory environment can be painful. While there are many articles and technical references discussing the change to the Defense Federal Acquisition Regulation Supplement (DFARs), it might be helpful to simply address the common sense behind the changes coming both now and over the next few years. Here is a framework to understand the current requirements, the changes around the corner and the much-touted Cybersecurity Maturity Model Certification (CMMC) which is coming slowly, but surely.
There are two major thrusts in these upcoming changes. The first is related to Controlled Unclassified Information and the other is in keeping with the CMMC effort that is in the crawl phase of crawl, walk, run.
What do I do if I have an existing DoD contract?
Any company that wishes to do business with DoD or which has an existing contract with DoD and would like to see an option year award will be required to meet the NIST 800-171 security requirements for specified information systems provided to the government and for the internal company information systems. To obtain the required certification, a company must comply with both these NIST requirements and with the specific DoD requirements under the DFARs.
There are three levels of certification early on as part of the new DFARS Interim Rule – Basic, Medium and High. More specifics and particulars on these levels are discussed in the balance of this article.
Effective November 30, 2020, a new Defense Federal Acquisition Regulation Supplement (aka DFARS) will require Cybersecurity Maturity Model Certification (CMMC) for any company submitting proposals for government contracts related to the DoD. The DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting will be included in all solicitations and contracts, including those using Federal Acquisition Regulations (FAR) part 12 commercial item procedures, except for commercially available off the shelf (COTS) items. The clause requires contractors to apply the security requirements of NIST 800-171 to “covered information systems.” For more details on this new rule see https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-fede
ral-acquisition-regulation-supplement-assessing-contractor-implementation-of.
At this point, some companies might be tempted to call for professional help. But, do read on, as there is a way of combining improved security and risk reduction with compliance. This is the secret mission of Assured Enterprises—to improve cybersecurity, reduce risk and deliver full and timely compliance.
The DoD assessment methodology provides for the assessment of a contractor’s implementation of NIST 800-171 security requirements, as provided in DFARS clause 252.204-7012. More information on the NIST 800-1717 DoD Assessment Methodology is available at https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html.
The Assessment uses a standard scoring methodology applied at the Basic, Medium, and High levels. The levels obviously indicate the depth of the assessment conducted. These levels dovetail with Assured’s own variable levels of risk assessment.
Basic is a self-certification (which soon will become nearly obsolete) while Medium and High require government or approved third party review. In practical terms, the government is in the process of defining the system for outsourced assessments or use other practices for these other levels of assessment and certification. The Interim Rule precludes the award of any contract or extension/ modification of any contract within the DoD to a firm that does not have an assessment documented within the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/ .
The CMMC and new interim DFARS ruling can be confusing. That’s why Assured is offering free, confidential phone consultations to help you understand your current position and how we can help you achieve compliance with these rules. Contact us today to learn more about how we can help you meet the new requirements. The Assured Team includes Richard Russell who served as a Deputy Associate Director of National Intelligence within the DNI CIO, and the former CTO of the cybersecurity division of L3 Communications (now L3 Harris), a major US defense prime contractor, experienced lawyers and others.