DFARS Compliance Services

We provide comprehensive services to help customers meet DFARS and CMMC requirements at a fraction of the cost of doing it yourself.

Schedule An Appointment

Beginning Nov. 30th, 2020, the new DFARS Provision 252.204-7019 will require DoD contractors who handle Controlled Unclassified Information (CUI) to submit to and record a DoD Assessment of their compliance with the 110 controls documented in NIST SP 800-171. Find out more about what this DFARS rule change means for you.

What is DFARS Provision 252.204-7019?

Defense contractors are facing increased scrutiny of their organizations’ cybersecurity programs and a larger obligation to demonstrate that they are compliant with the 110 controls defined in NIST SP 800-171.

NIST 800-171 requires organizations to develop a System Security Plan (SSP) describing their program and a Plan of Action and Milestones (POAM) outlining how and when they would mitigate any gaps in their program. A new rule that goes into effect Nov. 30th also requires contractors to submit the results of a self-assessment and a score for their program into a government database of supplier’s performance information.

Some organizations will be required to undergo government assessment and validation of their program as well. Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contract.

How does this impact you?

Every defense contractor must meet the requirements of a Basic Assessment – a self-assessment using the organization’s existing System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate their own score and then entering it on SPRS. The SPRS entry will consist of six fields: SSP name, CAGE code associated with the plan, a brief description of the plan architecture, date of the assessment, total score, and the date a score of 110 will be achieved. If you already have an SSP and POAM, it should take less than an hour to complete the Basic Assessment.

Some organizations will be required to undergo further assessments as described below:

  • Medium Assessment: The DoD estimates that 200 unique organizations will go through a Medium Assessment each year, based on the need for a medium level of confidence in how the organization is handling CUI.  It will require a DoD representative, most likely from the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), onsite at the organization’s facilities conducting a review of their Basic Assessment, a thorough document review, and holding discussions with the contractor to obtain additional information or clarification as needed.
  • High Assessment: The DoD estimates that 110 unique organizations will go through a High Assessment each year. It will be similar to the Medium Assessment, with the addition of the government performing “verification, examination, and demonstration” of the SSP to validate that NIST SP 800-171 security requirements have been implemented as described.

Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contact.

These new requirements (and increased scrutiny of old requirements) can potentially impact you as a defense contractor in a number of ways:

  • You will lose the ability to bid on contracts if you do not meet these requirements.
  • If you can’t demonstrate to your prime contractors that you meet the requirements, you may lose business to another subcontractor who can.
  • If you make a claim that doesn’t hold up to government scrutiny, you could potentially face legal action.
  • You will need to spend money and time upgrading your programs to meet the requirements.
  • You don’t have a lot of time to prepare for this. Prime contractors are already asking questions of their subcontractors, and the government will start rolling out these new requirements Nov. 30th.
Schedule Your Free Consultation

What is DFARS Provision 252.204-7020?

DFARS 252.204-7020 states that “NIST SP 800-171 DoD Assessment Requirements” will add on to Provision 7019 by requiring a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct an assessment as well as make sure their subs have submitted their Assessments to SPRS prior to awarding a subcontract.

What is DFARS Provision 252.204-7021?

DFARS 252.204-7021 states that “Cybersecurity Maturity Model Certification Requirements” will phase CMMC into contracts over the next 5 years. Inclusion of a CMMC requirement in a solicitation during this time period will be controlled by the USD(A&S). Contracts with CMMC language will require the contractor to:
  • maintain the requisite CMMC level for the duration of the contract.
  • ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments.
  • include the requirements of the clause in all subcontracts or other contractual instruments.
CMMC is meant to build upon the “assessment methodology” for 800-171, the notice says, through adding the requirement for “a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

What you can do to prepare?

Develop or update your cyber program. Defense contractors should consider hiring expertise now to help them with their assessment and score.

We offer the most comprehensive solution to help you write policies, implement technology, document your practices, assess business risk, and put into place the cyber program management needed to ensure you mature to meet the increasing demands on the Defense Industrial Base.

Ardalyst approaches this problem differently. We recognize this isn’t simply a technical problem with a technical solution. Our team combines the technical proficiency of system administration and cybersecurity experts with seasoned business risk and operations analysts to provide a comprehensive solution to a multi-faceted problem. We examine not just the technical controls that make up your cybersecurity defenses but apply business risk assessment to your unique drivers and the way you want to position yourself within your market.

Compliance Solutions Built for DFARS 252.204

Comprehensive Managed Compliance Programs

Compliance Just Got Easier
Take the stress out of meeting your compliance goals. Tesseract, a comprehensive managed cybersecurity program solution, delivers the expertise, the technology, and the support defense contractors need to deploy an enterprise-grade cybersecurity program at prices that fit your budget.

Tesseract Managed Services combines a variety of services into a single, cost-effective, comprehensive program to help you achieve and maintain regulatory compliance and develop a strong cyber defense for your organization. Tesseract delivers the resources of a Managed Security Service Provider (MSSP), Managed Service Provider (MSP), Managed Defense & Response (MDR), Compliance Consulting Services (vCISO), and Compliance Management Software all in one, proven solution.

Exclusive
Deals
Advisory
Services
Detection & Response
IT Support & Helpdesk
Enclave Activation & Migration
One-Stop
Shop
Explore Tesseract