DoD Cybersecurity Compliance

 

Are you a DoD Prime or Sub Contractor? If so, UT CIS has two upcoming opportunities to help your company understand and achieve DoD Cybersecurity compliance.

Not sure if the compliance requirements apply to you? On February 23rd, the Tennessee PTAC group will provide an update on CMMC and SPRS. Information will include a review of the current standards, who they will apply to, and what will be required. Register HERE.

Currently working on your self-assessment and need assistance? On February 23rd through February 25th UT CIS will facilitate a virtual working cohort designed to assist DoD contractors in completing the basic self-assessment as required by DFAR 252.204-7019, Safeguarding CUI. Upon completion of the workshop you will have the score to input into the Supplier Performance Risk System (SPRS), as required by Annex B. Register HERE.

Department of Defense Cybersecurity Maturity Model Certification

The Undersecretary of Defense for Acquisition and Sustainment (OSD A&S) released the Cybersecurity Maturity Model Certification (CMMC) on 31 January 2020. CMMC will be a mandatory cybersecurity certification process that utilizes 3rd Party Auditors to verify that defense suppliers meet specific information security standards. The specific information security standards are detailed in the CMMC model. View the CMMC model here. https://www.acq.osd.mil/cmmc/draft.html

DoD suppliers must continue to abide by DFARs 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) if this clause is contained in your contract, and your company has Controlled Unclassified Information (CUI). Currently, DFARs clause 7012 references NIST SP 800-171 as the standard for demonstrating adequate security.

In the Spring/Summer of 2020, DoD worked to update the DFARs to reference CMMC instead of NIST SP 800-171. Additionally, the below conceptual phase-in schedule was discussed:

• Summer/Fall 2020 - 10 “pathway” RFIs and RFPs will be selected for CMMC inclusion. This will impact about 150 flow-down defense suppliers.
• Expectation that about 1500 companies will receive CMMC certs in 2021.
• Phase CMMC into all DoD contracts during a 5-year period from 2021 to 2026.

Although DoD is adopting this “crawl, walk, run” approach utilizing the above conceptual schedule, it critically important for defense suppliers to start the process of improving their cybersecurity posture now.

Why Is It Important to Start Now? There are several reasons that it is critically important to start the process of meeting the mandatory cybersecurity standards now. First, the proliferation of cyber-attacks on defense suppliers is rising at an exponential pace. The result is a massive loss of technological advantage over our possible adversaries and the loss of business revenue as systems are recovered from malware attacks. Second, it will take a significant amount of company resources, time and money, to meet the DFARs-CMMC standard. Spreading this effort over a couple of years will reduce the impact on the operational tempo of the company and lessen the acute impact on the budget. Third, and lastly, a company must have a CMMC certificate before contract award in the future process. In order to prevent a disruption of defense revenue, it is better to prepare early and be ready to obtain a certificate when the 3rd Party Audit system is established.