If you are not fully aware of the direction DFARS 7012/NIST 800-171 and CMMC 2.0, this update is a must-read. The information is compiled from attending the CyberAB meetings and the FMA meeting. The high-level view is that the government is beginning to put pressure on companies to adhere to DFARS 7012/NIST 800-171.
The Cybersecurity Maturity Model Certification (CMMC) program has been in the industry news for a few years now and to some, seems no closer to becoming a reality than it ever has. Many companies are taking a “wait and see” approach to compliance since CMMC 2.0 is still in the rulemaking process. This will be a mistake for those delaying the inevitable because of these main points:
- Going through the compliance process will take some time and waiting until the last minute could put you in jeopardy of having to pass on RFP bids.
- Essentially, if you are on or pursuing any contracts that include DFARS Clause 252.204-7012, you are already required to be compliant with the major provisions of what will be CMMC 2.0.
- You don’t want to risk being the company prosecuted under the False Claims Act. It has happened . . . Aerojet just settled.
CMMC 2.0, once codified (2023-2024), will include the current requirements for NIST 800-171 for Level 2 CMMC certification which is the level most contracting companies in the Defense Industrial Base will be required to attain. However, under the above named DFARS clause, you are currently required to safeguard sensitive information. The differences between CMMC and the current regulations will center around how your compliance is certified and how you approach shortfalls through your Plans Of Action and Milestones (POAM).
NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected. Since 2017, the “Law of the Land” for suppliers handling CUI is to be compliant with DFARS 252.204-7012 by implementing the cybersecurity requirements laid out in the NIST 800-171 framework and prime contractors have been stepping up their enforcement of flow down requirements to their sub-contractors. You may have already received requests from a prime asking you to attest to your compliance with the NIST 800-171 framework.
Contractors that process CUI in support of the Department of Defense (DoD) use a points-based system to demonstrate compliance with NIST 800-171 which they must register in the DoD’s Supplier Performance Risk System (SPRS) – scores must be submitted before contract award or renewal. This process involves a self-assessment against the 110 requirements outlined in the NIST 800-171, scoring compliance with each of the individual requirements.
Defense contractors must also generate a System Security Plan (SSP) as part of their evidence of NIST 800-171 compliance. The SSP provides a comprehensive overview of an organization’s IT network, including hardware and software, as well as security processes and policies.
Any NIST 800-171 requirements not met by a DoD contractor should be stated within a POAM. The POAM sets out key dates and timelines for achieving full compliance, must be submitted before the contract begins and can be updated as the organization addresses areas of non-compliance and as their cybersecurity practices mature. You must be able to provide your SSP and POAMs if requested by the government.
So where do you start ?
- STEP 1- Do some online research to fully understand NIST 800-171 and CMMC. The above link to the NIST standard is helpful and cyberAB.org will help you to understand and get informed and involved with CMMC as it progresses through the formal Federal rulemaking.
- STEP 2- You will need to gather all your existing security policies and procedures and create a NIST 800-171 Assessment/Gap Analysis with resultant SSP, POAM and SPRS Score with Certification. This can be a daunting task as it will require you to assess all 110 requirements, provide evidence of each, and a plan for any shortfall. Braxton-Grant Technologies has trained and experienced staff to help you perform this assessment. We utilize an industry leading tool to help you record, manage, and report about your compliance, including creating your POAM and SSP.
- STEP 3 – Work on completing your POAM as soon as possible. Braxton-Grant engineers can make recommendations for any technology your cybersecurity environment may be lacking and we can help you implement it and integrate into your current environment. Many of the requirements are satisfied with strong policies and procedures but some requirements (such as Multi-Factor Authorization) will require a technology solution. For some, a managed services arrangement may be the answer to get you to compliance in a shorter time at a lower cost than you might think.
- STEP 4 – Once the POAM is completed, you are more secure, compliant with DFARS 7012 and ready to prepare yourself for a CMMC 2.0 Level 2 audit with a third-party assessor once the CMMC rules are rolled out. Note: The highest weighted requirements (55 of the 110) will be required for initial compliance and not acceptable as part of your POAM.
Braxton-Grant Technologies is here to help you, whether you need clarification on what’s required; assistance with assessing, recording and reporting your compliance; or implementing technologies that are part of your POAM. Whatever you need, start TODAY. CMMC may still be in the rulemaking process but the 110 requirements of NIST 800-171 are here NOW. In fact, three companies are currently undergoing provisional CMMC assessment using Third Party Certified Assessors with oversight from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). NIST 800-171 requires your attention now and CMMC is coming.