Adhering to compliance standards is of vital importance to organizations. While data is always at risk of being compromised, it is standard practice to secure sensitive information by establishing and adhering to network security processes that meet the regulations governing your industry. Braxton-Grant understands the immediacy of the problem and the penalties to the organization for non-compliance.
The Big News: Interim Rule Change to The DFARS went into effect on November 30, 2020.
- DFARS 252.204-7012 has not been changed. The current requirements for a Systems Security Plan, Plan of Action and Milestones, and Incident Response Plan remain as-is.
- DFARS 252.204-7019 has been added. This requires contractors to submit NIST SP 800-171 self-assessment (Basic) scores to the DoD through the Supplier Performance Risk System (SPRS).
- DFARS 252.204-7020 has been added. This allows DoD to send trained auditors in to score your NIST SP 800-171 compliance with a Medium or High assessment.
- DFARS 252.204-7021 has been added. This rule allows the inclusion of CMMC requirements in future contracts.
- CMMC 5-year phased roll out plan for the implementation of CCMC requirement under contracts.
- SPRS access. Make sure you register for an account to access the Supplier Performance Risk System (SPRS)
Are you aware? The interim rule represents a renewed focus by government on companies to have good Cyber Hygiene.
A key requirement in DFARS 252.204-7012 remains which many contractors fail to fully understand the impact of:
- FedRAMP Moderate for Cloud environments
- Paragraphs C-G for Incident Response / Forensics,
- Medium Assurance Certificate
Now Contractors have contractual obligations to meet DFARS 252.204-7912 (DoD) and NIST SP 800-171r1 or FAR 52.204-21 (Federal). Prime contractors flow down the requirements to partners and subcontractor.
The CMMC accreditation flow is still being flushed out. Click below to for up to date information regarding CMMC.
How Can Braxton-Grant Help?
As a Cyber Security company that has been providing information security to DoD customers since 1997, Braxton-Grant has a deep understanding of technologies and processes to protect your company’s information systems.
The immediate goal is to produce a Complete Gap Assessment consisting of:
- Perform a Baseline Vulnerability Scan: This will allow the team to assess, identify and inform on any discovered critical security vulnerabilities which pose extreme danger to the network.
- Producing a SSP based on current NIST SP 800-171 requirements
- Plan of Action and Milestones (POAM): All milestones associated with identified requirement short falls. Expected completion dates will be assigned to as many milestones as possible.
- Provide a SPRS score to the generated SSP.
- Provide a Cybersecurity Mitigation Plan on hardware, software, or follow-on services such as remediation, consulting and/or ongoing monitoring.
Braxton-Grant has developed a product set that includes the compliance documentation and security products necessary to meet NIST 800-171 rev1/2 requirements. Our product set is scalable, best of breed, and cost effective for small and mid-sized businesses.
Allow us to do a NIST SP 800-171 Gap Assessment based on the tools and processes you currently have in place. Our assessment will help you better utilize the tools that you currently have and define what additional tools may be required. Attempting to implement the NIST 800-171 requirements one piece at a time can lead to overlapping products and higher cost of implementation.
Note the requirement for being compliant with NIST SP 800-171 does not mean you have to meet all requirements. You must have a System Security Plan, a Plan of Action for requirements not met, and a score posted in the Supplier Performance Risk System (SPRS).