Schedule Appointment

Department of Defense Contractor Cybersecurity Brief

by Robert Gillen

What is happening with Department of Defense Cybersecurity Regulations?

Navigating the policy landscape of Department of Defense (DoD) contracting can be a frustrating experience. Cybersecurity regulations are certainly no exception as the past few years have seen major changes in expectations that are seemingly revamped every year. This post will walk you through the latest from the perspective of a small business that just wants to continue doing business with DoD.


What is the goal?

DoD wants to protect “controlled unclassified information” (CUI) – information that is sensitive enough to require protection, but not sensitive enough to require security classification. The goal is protection of information using technology, policy, and education in your company.


What is the latest?

As of right now, if you have a contract with DoD, it likely includes DFARS clause 252.204-7012 requiring you to work toward compliance with cybersecurity regulations listed in NIST Special Publication 800-171, perform a self-assessment reported to the DoD Supplier Performance Risk System (SPRS), and report any cyber incidents to DoD within 72 hours of discovery. If you have this clause and are not doing these things, you are not in compliance with your contract.


What is coming?

DoD has introduced the Cybersecurity Maturity Model Certification (CMMC) system to replace the self-reported NIST 800-171 process. Over the next five years, DoD will transition from the NIST SP 800-171 system to CMMC by replacing the DFARS clause listed above with new clauses mandating CMMC. This system includes a slightly expanded set of requirements and third-party assessors at certain levels to certify companies. Proper certification will soon be required for responding to proposals as well as executing contracts.


What do I do?

  1. Comply with your contract – NIST SP 800-171 and self-assessment
    If you have the applicable DFARS clause and handle DoD CUI, you must work toward NIST SP 800-171 compliance. As of today, that includes maintaining documentation like a System Security Plan (SSP) and a Plan of Action and Milestones (POAM) showing your progress. This also includes uploading your self-assessment score per the process outlined by DCMA’s cybersecurity group.
  2. Learn about CMMC – see links below
    While the CMMC assessment methodology and infrastructure is new, the requirements for the various certification levels have been published. Read up on the levels and consider which certificate your company will likely need. NIST SP 800-171 is entirely contained within CMMC Level 2 – that is, any work you are doing toward NIST SP 800-171 compliance will be applicable to a future CMMC Level 2 certificate.
  3. Get some help
    This can be a frustrating and overwhelming process, especially when you don’t have what you need. FastLane (937.229.1368) advisors get you to solutions faster to make your life easier.


What is…

DFARS

The Defense Federal Acquisition Regulation Supplement is the version of the Federal Acquisition Regulation (FAR) used by DoD to list requirements for being a supplier/contractor. DFARS clauses appear in contracts with DoD and are often flowed down through the supply chain, meaning your company may have to comply with them even if you are not contracting directly with DoD.

CUI

Controlled Unclassified Information is what these policies are trying to protect. What constitutes CUI and how it is identified is evolving – for the latest, go to https://www.dodcui.mil. Contractors are expected to work with their supply chain and DoD customer to determine where they have CUI.

NIST SP 800-171

The National Institute of Standards and Technology publishes many security policies used across the DoD. Special Publication 800-171, originally a set of “guidelines”, has been adopted by DoD as “requirements” for its contractors handling CUI. These requirements have been incorporated into the CMMC system.

SPRS

The Supplier Performance Risk System is DoD’s database of supplier performance and where all NIST 800-171 and CMMC Level 1 self-assessment scores are stored. Results will be available to DoD agencies to consider before awarding contracts.

CMMC levels

CMMC is administered by an accreditation body (the Cyber AB https://cyberab.org) which is in charge of the process for certifying contractors. The CMMC levels are officially defined by the maturity of “cyber hygiene” within the company, but DoD will be requiring certain levels of certification to apply for and win awards. Level 1 covers safeguarding Federal Contracting Information, implying that any company with information leading to knowledge that they are working with DoD will need to be certified at Level 1 or higher. Level 1 certifications can be self-assessments. Level 2 covers the handling of actual CUI and could require a third-party assessment. Visit the Cyber AB for more.



Have questions about cybersecurity for your business?

Schedule an Appointment Today