Government Regulations

Clarus Tech Partners provides government required cybersecurity compliance assessments & Consulting

Dfars - Nist - cmmc

If your company provides products or services for the Department of Defense (DoD), you will be required to meet new cybersecurity standards and certification set by the Defense Federal Acquisition Regulation Supplement (DFARS).

DFARS provides a set of security controls to safeguard information systems where contractor data resides.  Currently, cybersecurity is based on the National Institute of Standards and Technology (NIST), the NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations” and organizations need to implement the security controls through all levels of their supply chain. 

 

But over the past few years, the current method of self-assessments and cyber requirements used in DFARS standards has proved insufficient as the DoD supply chain continues to be subjected to cyber attacks, leading to the necessity of more immediate improvements to cybersecurity.  The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) and the DoD are now transitioning to the new Cybersecurity Maturity Model Certification (CMMC) framework, which combines standards from NIST, ISO and AIA, and will require a third-party audit and certification by a CMMC Third Party Assessment Organization (C3PAOs).

On September 29, 2020 the Defense Acquisitions Regulation System released a new DFARs Interim Rule to supplement the current DFARS regulation 7012 as a procedure that helps bridge the gap between NIST 800-171 while CMMC is still being enacted.  

 

 

 

What is the DFARS INTERIM RULE? 

The new requirement takes effect on November 30, 2020 for all contractors subject to the DFARS 252.204-7012 clause based on handling of Controlled Unclassified Information (CUI) and will need to complete a new NIST 800-171 Self-Assessment based on a new scoring methodology - Basic, Medium, and High - and additional reporting and must be posted on the Supplier Performance Risk System (SPRS) before contracts will be awarded.  Further, the Self-Assessment must also include the completion of the System Security Plan (SSP) and a Plan of Action and Milestones (POAMs) that details the organization's current state of their networks and systems and plans to achieve full compliance with the NIST 800-171 requirements.  Prime contractors must also require their subcontractors and suppliers meet this DFARS Interim Rule. 

 

Immediate action is required to get prepared for the November 30th deadline and remain eligible for government contracts.  Contact us today to receive a scored assessment and guidance through the process of complying with DFARS, the Interim Rule, and future developments in CMMC and DFARS.

For Government Contractors DFARS Interim Rule Update:

The November 30th deadline is quickly approaching.

While the CMMC is being rolled out over the next few years, the DFARS Interim Rule goes into effect November 30th, 2020.

Do you know how to navigate the new NIST and CMMC cybersecurity requirements? 

Download Your Free DFARS Interim Rule Guide

What is CMMC? 

Cybersecurity includes risk management, incident response, physical security, employee awareness training, and more.

The new DoD Cybersecurity Maturity Model Certification (CMMC) Model builds on the existing NIST 800-171 and DFARS 252.204-7012 regulations and adds an auditor certification component.  It combines several cyber security standards and best practices to create a set of controls based on a required level of cybersecurity maturity.

The CMMC defines five cybersecurity “hygiene” maturity or readiness levels - from basic Level One to advanced Level Five for highly sensitive defense assets.

The CMMC Model

Different contractors will be held to different standards. There are five Cybersecurity Maturity levels depending on the expectations placed on the contractor for handling certain information.

These levels are cumulative, meaning that to achieve any level, a contractor will need to fulfill all the requirements for the levels before it.

WHO Does CMMC apply to?

  • All new Department of Defense contracts will require contractors – both prime contractors and subcontractors – to have Cybersecurity Maturity Model Certification (CMMC).

 

  • All companies, no matter how small or what product or service they provide, will have to be assessed and certified by a third-party auditor before they can submit a proposal according to the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).

Why CMMC?

  • The Cybersecurity Maturity Model Certification (CMMC) is a new Cybersecurity Maturity Model that aims to significantly enhance the cybersecurity and resiliency of its contractor network, creating a single cybersecurity standard for companies to meet.  

 

  • It ensures an appropriate level of cyber hygiene – which are the practices and steps that users of computers and other devices take to maintain system health and improve online security to ensure the safety of identity and other details that could be stolen or corrupted.

  1.  Level 1 is the requirement for any contractor that does not handle controlled unclassified information (CUI). The focus of this level is safeguarding federal contract information (FCI).

  2. Level 2 serves as a transitional step for contractors that protect CUI, with maturity requiring the documentation of policies and the implementation of practices for protecting CUI.

  3. Level 3 is for contractors tasked with the protection of CUI.  Such contractors will need to show that they can establish, maintain and resource plans for protection.

  4. Levels 4 and 5 are the highest maturity standards in place for contractors that protect CUI. To achieve this level, not only will contractors need to show maturity in protecting CUI but reducing the risk of advanced persistent threats as well.  Such contractors will need to review and measure activities for effectiveness to reach Level 4 and standardize and optimize an organizational approach to reach Level 5. 

How to Become CMMC Certified?

  • Determine the CMMC level required for your business.

  • Conduct a gap assessment to determine which areas you need to improve.

  • Remediate the gaps.

  • There will be no self-certification but will need to request and schedule a third-party audit and certification by a CMMC Third Party Assessment Organization (C3PAOs).

  • Your company will be awarded a level of certification by demonstrating the appropriate cybersecurity maturity to the auditors.

  • Certification is valid for 3 years.

 

Clarus Tech Partners provides customized CMMC support. We can help you with your assessment, roadmap, remediation and prepare your business for your certification at all CMMC Levels 1 - 5.

 

Read more about CMMC  https://www.acq.osd.mil/cmmc/index.html.

schedule your consultation.
Consult with our team of experts at Clarus Tech Partners.