The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DoD supply chain, continues to get smaller as the ability to self-certify is set to expire.
CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DoD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.
Much has been written about The Defense Department (DoD) Office of the Under Secretary Acquisition of Sustainment creation of a new certification model to enforce compliance, but the fact is compliance is already required. So, while it is important to understand where the DoD is headed in enforcing compliance, it’s more important to stop delaying and act now. The DoD has been working with industry for more than a decade to address the cybersecurity problem across the supply chain and contractors who continue to self-certify with Plans of Action & Milestones (POA&Ms) that never actually get implemented will be frozen out of acquisition as DoD makes cybersecurity a “go/no-go” part of procurement.
Cybersecurity Maturity Model Certification (CMMC) and the New Certification
The Cybersecurity Maturity Model Certification (CMMC) and the new certification will have required CMMC levels once the certification is released, with levels ranging between one and five –from basic cyber hygiene requirements through “state-of-the-art” cybersecurity capabilities.
Arrington is moving quickly to complete the CMMC by January 2020, and contractors can expect to start seeing the certification in contract requests for information by June 2020.
Within CMMC, a third-party cybersecurity certifier will also conduct audits, collect metrics, and information risk mitigation for the entire supply chain.
“With 70 percent of my data living in your environment, I’m home, so we need to work together to secure it,” Arrington said. “Who is the government? You are when you’re the taxpayer. That’s your money. That’s your data that you have paid for that our adversaries are taking and using it against us. We should be infuriated as a nation about our data. With $600 billion a year being expelled by our adversaries; this room should be irate.”
All of these developments, coupled with the May 8, 2019, California court Civil False Claims Act decision as the first reported FCA decision involving allegations of non-compliance with DFARS 252.204-7012 should spur action towards immediate compliance. Checklist compliance and continued delays of actual control implementation will absolutely cost you more in the long run so get started now, make a plan and execute.
5 Steps To DFARS Compliance
Compliance with the DFARS and NIST requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.
Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!