DFARS 252.204-7019 and NIST SP 800-171 – What does it All Mean?
If your organization works within the defense industry, you are likely familiar with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7019. This federal act requires that any Department of Defense (DoD) contractor working with covered defense information (CDI) and controlled unclassified information (CUI) protect their data using the NIST SP 800-171 security protocol.
NIST SP 800-171 is a code of requirements that any non-Federal organization must follow in order to store, use, or transmit CUI, and provide security protection for their systems. This system is comprised of 110 security practices that are organized into 14 domains, each related to a general security area. For a time, contractors who worked with the DoD were only required to self-attest their compliance with DFARS and NIST SP 800-171. They were responsible for implementing, monitoring, and certifying the security of their IT systems and any sensitive information stored there.
In September 2020, the DoD published an update to the DFARS requiring the use of the Cybersecurity Maturity Model Certification (CMMC) framework to evaluate contractor compliance and enhance security standards.Â
What is CMMC?
Cybersecurity Maturity Model Certification, or CMMC 2.0, is a unified system of compliance levels that help the DoD and other governmental agencies determine whether an organization has the security necessary to work with controlled or sensitive data. Related to the NIST SP 800-171, CMMC contains three different maturity levels suppliers are required to meet – Foundational, Advanced, and Expert. While certification can be an extensive process, its main goal is to identify gaps and opportunities in a security system and how mature an organization’s security initiatives are.Â
Today, all 300,000 DoD contractors and researchers will need to obtain third-party certification to meet requirements for CMMC, as well as the maturity level appropriate to the work they do with the DoD.Â
Contractors that do not follow compliance within these frameworks may be subject to criminal and civil penalties. These standards must be followed in order to maintain the integrity of sensitive data that is essential for federal agencies to conduct assigned missions and business operations.Â
Initial Steps to Compliance (CMMC Checklist)
Before working towards CMMC compliance, it is recommended that organizations review the following checklist:
- Familiarize Yourself with CMMC
- Stay up-to-date on new developments regarding CMMC versions, and use the official DoD site as your primary source of information
- Assign Responsibilities
- Establish a team that will educate users on the new framework and assign responsibilities for working towards CMMC compliance
- Determine Appropriate CMMC levels
- Reference DoD contracts which will determine the flow-down of supply chain maturity level requirements. Note: Any contractor required to protect CUI must achieve at least Level 2
- Conduct Gap Assessment
- Examine the current state of your cybersecurity and identify gaps between your capabilities and the requirements for the CMMC level sought
- Submit Assessment Score to SPRS
- Submit assessment score to the Supplier Performance Risk System (SPRS); the web-based app utilized by the DoD to gather, process and display data about the performance of suppliers
- Establish Budget and Remediation Plan
- Create a budget and remediation plan that includes impact, cost, resources, time to implement, and tracking progress to help guide your work
What to Expect from a CMMC Assessment?
When working towards CMMC compliance, your organization will need to work with a Registered Provider Organization (RPO), like Vancord, to ensure your data is protected and that you are in compliance with the necessary legal requirements.Â
To meet NIST 800-171 requirements and prepare you for CMMC certification, Registered Practitioners (RPs) will perform the following services:
- Gap Assessment
- RPs will assess the current state of the organization’s cybersecurity against the controls in NIST 800-171 and CMMC 2.0 to identify areas of improvement necessary to achieve certification.
- Establish Objectives and Resources
- Organization to choose the proper certification level based on current business needs and long-term goals to develop objectives and resources needed.
- Develop a Plan of Action and Milestones (POAM)
- By comparing controls currently in place to the appropriate level control requirements, RPs will prioritize remediations and develop a plan of action and milestones
- Develop a Tailored System Security Plan (SSP)
- A customized and comprehensive security plan (SSP) will be established, defining the performance of suppliers and identifying systems in scope.
- Prepare a Company for Official Certification
- A CMMC Third-Party Assessor Organization will perform the official assessment. Pending results, your organization will receive official certification.Â
Who Needs CMMC Certification?
Organizations within the defense industry, specifically manufacturers or contractors that operate with CUI, must be CMMC certified. This may apply to companies that support the aerospace, naval, or military sectors and engineers and manufacturers that produce machine parts or coating. Government contracts will often indicate what level of compliance and certification is required. For example, the level of clearance needed depends on the project and the type of information your organization is working with.Â
Why Choose Vancord for your CMMC Assessment?
Our team of experts can help you navigate these requirements and provide:
Learn about the technical requirements and prepare for certification
Evaluate your current practices and procedures, identifying any potential gaps
Document current controls and procedures against your appropriate CMMC level controls
Be equipped to navigate and adhere to CMMC requirements
Start preparing now for long-term cybersecurity agility. Our CMMC Assessment Service will help you find the gaps in your cybersecurity networks, eliminate security weaknesses, and be ready for a CMMC certification. Request a meeting with our compliance experts today to get started.