Beginning Nov. 30th, 2020, the new DFARS Provision 252.204-7019 will require DoD contractors who handle Controlled Unclassified Information (CUI) to submit to and record a DoD Assessment of their compliance with the 110 controls documented in NIST SP 800-171. Find out more about what this DFARS rule change means for you.
Defense contractors are facing increased scrutiny of their organizations’ cybersecurity programs and a larger obligation to demonstrate that they are compliant with the 110 controls defined in NIST SP 800-171.
NIST 800-171 requires organizations to develop a System Security Plan (SSP) describing their program and a Plan of Action and Milestones (POAM) outlining how and when they would mitigate any gaps in their program. A new rule that goes into effect Nov. 30th also requires contractors to submit the results of a self-assessment and a score for their program into a government database of supplier’s performance information.
Some organizations will be required to undergo government assessment and validation of their program as well. Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contract.
Every defense contractor must meet the requirements of a Basic Assessment – a self-assessment using the organization’s existing System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate their own score and then entering it on SPRS. The SPRS entry will consist of six fields: SSP name, CAGE code associated with the plan, a brief description of the plan architecture, date of the assessment, total score, and the date a score of 110 will be achieved. If you already have an SSP and POAM, it should take less than an hour to complete the Basic Assessment.
Some organizations will be required to undergo further assessments as described below:
- Medium Assessment: The DoD estimates that 200 unique organizations will go through a Medium Assessment each year, based on the need for a medium level of confidence in how the organization is handling CUI. It will require a DoD representative, most likely from the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), onsite at the organization’s facilities conducting a review of their Basic Assessment, a thorough document review, and holding discussions with the contractor to obtain additional information or clarification as needed.
- High Assessment: The DoD estimates that 110 unique organizations will go through a High Assessment each year. It will be similar to the Medium Assessment, with the addition of the government performing “verification, examination, and demonstration” of the SSP to validate that NIST SP 800-171 security requirements have been implemented as described.
Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contact.
These new requirements (and increased scrutiny of old requirements) can potentially impact you as a defense contractor in a number of ways:
- You will lose the ability to bid on contracts if you do not meet these requirements.
- If you can’t demonstrate to your prime contractors that you meet the requirements, you may lose business to another subcontractor who can.
- If you make a claim that doesn’t hold up to government scrutiny, you could potentially face legal action.
- You will need to spend money and time upgrading your programs to meet the requirements.
- You don’t have a lot of time to prepare for this. Prime contractors are already asking questions of their subcontractors, and the government will start rolling out these new requirements Nov. 30th.
Develop or update your cyber program. Defense contractors should consider hiring expertise now to help them with their assessment and score.
We offer the most comprehensive solution to help you write policies, implement technology, document your practices, assess business risk, and put into place the cyber program management needed to ensure you mature to meet the increasing demands on the Defense Industrial Base.
Ardalyst approaches this problem differently. We recognize this isn’t simply a technical problem with a technical solution. Our team combines the technical proficiency of system administration and cybersecurity experts with seasoned business risk and operations analysts to provide a comprehensive solution to a multi-faceted problem. We examine not just the technical controls that make up your cybersecurity defenses but apply business risk assessment to your unique drivers and the way you want to position yourself within your market.