The DoD created the DFARS Cybersecurity Requirement because our precious military secrets are actively being stolen by US adversaries. These secrets are our competitive advantage that helps the US maintain the most powerful military in the world, defending the best ideas in the world: representative democracy governing a capitalist marketplace. Controlled Unclassified Information is sensitive and worthy of protection. The DoD allows its contractors to process much of this sensitive information in their internal IT networks. The adversaries know this, and increasingly target contractors to steal DoD information. Thus, DoD contractors are a major source of information leakage that leads to compromise of US military competitive advantage. The DoD has decided to do something to plug those leaks.
Through a regulation called the DFARS (DoD Federal Acquisition Regulation Supplement), which all DoD contractors must abide, contractors that process certain types of sensitive information for the DoD are expected to safeguard that information.
The DFARS cybersecurity requirement includes two main regulations:
1. Provide “adequate security” to protect CUI in the contractor’s IT system. Adequate security is provided by configuring your system according the safeguards listed in the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
2. Be able to identify cybersecurity incidents, report them to the DoD, and maintain incident related information for at least 90 days.
NIST 800-171 has 110 “controls”. Control is another word for safeguard—a thing you must do to protect information. You can think of these controls as high-level requirements for the organization. The 800-171 controls are broken into fourteen (14) families, or groups of related controls.
Does this seem overwhelming? We are here to help guide your organization through the control verification process. We develop the processes, procedures and system security plan required for meeting DFARS.
This requirement is to conduct a NIST SP 800-171 self-assessment and report the results provides the DoD and prime contractors with a single, objective metric—the SPRS score—to assess a contractor’s cybersecurity level. While DoD doesn’t specify minimum SPRS scores that must be achieved, it is reasonable to assume that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, the DoD likely will consider that company to be a higher security risk than an alternative supplier with a better score. Unrealistic high scores may also increase DoD scrutiny of an organization.
Further, some prime contractors already have begun to formally request relevant cybersecurity information from their subcontractors, including SPRS scores. If you’re a subcontractor, know that primes are increasingly wary of the risk of working with any subcontractor not in compliance with DoD cybersecurity mandates—and will quickly turn to those that are. If you’re a small- to mid-size company aiming to continue to do business in the DIB, you need to avoid being seen as a weak link in the supply chain.
While the SPRS score is self attested it is considered a prudent measure to have an external organization verify the 800-171 controls for compliance.
As a Candidate C3PAO, we are recognized as a professional organization that has direct access to CMMC Accreditation Body (AB) Assessment Standards, Methods and other tools as they become available.
The CMMC-AB is continuing to refine their processes to formalize, train and introduce formalized assessments. We continue to stay in frequent contact with the CMMC-AB and will update those interested in when official assessment will begin.
CMMC is a program initiated by the United States Department of Defense (DoD) in order to measure their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. At a high level, the framework is a collection of processes, other frameworks, and inputs from existing cybersecurity standards such as
NIST, FAR, and DFARS.
Currently we recommend organizations continue to focus on the NIST 800-171 standard on which CMMC is primarily based.
The Digital Beachhead consulting team will provide an initial assessment and then develop a gap analysis of your organization's maturity level in regards to CMMC certification. Our team can provide the required policies and procedures that are required, develop a Plan of Actions and Milestones (POA&M) for remediation steps needed, and provide additional support to close remaining gaps. Our team and our consulting approach is customizable to support your needs and budget.
The CMMC 360 Group provides the one stop shop for all your CMMC certification needs. Due to the complexity of the CMMC 2.0 initiative, the CMMC 360 Group was created to streamline this process. This consortium of subject matter experts was created to help keep cost down and expertise at a level for all types of DOD Contractors to quickly assess their readiness and best practices for implementation.