Navigating the policy landscape of Department of Defense (DoD) contracting can be a frustrating experience. Cybersecurity regulations are certainly no exception as the past few years have seen major changes in expectations that are seemingly revamped every year. This post will walk you through the latest from the perspective of a small business that just wants to continue doing business with DoD.
DoD wants to protect “controlled unclassified information” (CUI) – information that is sensitive enough to require protection, but not sensitive enough to require security classification. The goal is protection of information using technology, policy, and education in your company.
As of right now, if you have a contract with DoD, it likely includes DFARS clause 252.204-7012 requiring you to work toward compliance with cybersecurity regulations listed in NIST Special Publication 800-171 as well as report cyber incidents to DoD within 72 hours of discovery. If you have this clause and are not doing these things, you are not in compliance with your contract.
The DoD has begun requiring contractors to go through an assessment and scoring process that will measure compliance with NIST SP 800-171. For most, this will consist of a self-assessment reported to the DoD Supplier Performance Risk System (SPRS).
Over the next five years, DoD will transition from the NIST SP 800-171 system to the Cybersecurity Maturity Model Certification (CMMC) system. This system will establish an expanded set of requirements and third-party assessors to certify companies. Proper certification will eventually be required for responding to proposals as well as executing contracts.
If you have the applicable DFARS clause and handle DoD CUI, you must work toward NIST SP 800-171 compliance. As of today, that includes maintaining documentation like a System Security Plan (SSP) and a Plan of Action and Milestones (POAM) showing your progress. As of November 30, 2020, this includes uploading your self-assessment per the process outlined by DCMA’s cybersecurity group.
While the CMMC assessment methodology and infrastructure has not yet been established, the requirements for the various certification levels have been published. Read up on the levels and consider which certificate your company will likely need. NIST SP 800-171 is entirely contained within CMMC Level 3 – that is, any work you are doing toward NIST SP 800-171 compliance will be applicable to a future CMMC Level 3 certificate.
This can be a frustrating and overwhelming process, especially when you don’t have what you need. FastLane (937.229.1368) advisors get you to solutions faster to make your life easier.
The Defense Federal Acquisition Regulation Supplement is the version of the Federal Acquisition Regulation (FAR) used by DoD to list requirements for being a supplier/contractor. DFARS clauses appear in contracts with DoD and are often flowed down through the supply chain meaning your company may have to comply with them even if you are not contracting directly with DoD.
Controlled Unclassified Information is what these policies are trying to protect. What constitutes CUI and how it is identified is evolving – for the latest, go to https://www.dodcui.mil/. Contractors are expected to work with their supply chain to determine where they have CUI.
The National Institute of Standards and Technology publishes many security policies used across the DoD. Special Publication 800-171, originally a set of “guidelines”, has been adopted by DoD as “requirements” for its contractors handling CUI. These requirements will be incorporated into the CMMC system.
The Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is responsible for auditing compliance with NIST SP 800-171. Their assessment methodology has three levels – Basic, Medium, and High. Basic assessments are self-conducted; medium and high assessments are conducted by DCMA personnel. After November 30, 2020, all contractors with applicable DFARS clauses will need an assessment on file to be considered for DoD awards.
The Supplier Performance Risk System is DoD’s database of supplier performance and where all DCMA cybersecurity audit results will be stored. Results will be available to DoD agencies to consider before awarding contracts and companies will be able to request copies of their own scores via SPRS.
CMMC is administered by an accreditation body which is in the process of designing the infrastructure for certifying contractors. The CMMC levels are officially defined by the maturity of “cyber hygiene” within the company, but DoD will be requiring certain levels of certification to apply for and win awards. Level 1 covers safeguarding Federal Contracting Information, implying that any company with information leading to knowledge that they are working with DoD will need to be certified at Level 1. Level 2 has been referred to as a “transition level” toward Level 3 as a goal for handling actual CUI. We will learn more about these levels as the program is rolled out over the next five years. As of today, a pilot program is being run with a limited number of contracts to test and gain feedback on the certification process.