Need Assistance?
Speak with an Engineer
Not sure where to start? We're here to help walk you through the process, understand your environment, and provide the guidance you need to achieve cybersecurity maturity. Get in touch today.
Get in TouchDFARS Compliance Services
We provide comprehensive services to help customers meet DFARS and CMMC requirements at a fraction of the cost of doing it yourself.
Beginning Nov. 30th, 2020, the new DFARS Provision 252.204-7019 will require DoD contractors who handle Controlled Unclassified Information (CUI) to submit to and record a DoD Assessment of their compliance with the 110 controls documented in NIST SP 800-171. Find out more about what this DFARS rule change means for you.
What is DFARS Provision 252.204-7019?
Defense contractors are facing increased scrutiny of their organizations’ cybersecurity programs and a larger obligation to demonstrate that they are compliant with the 110 controls defined in NIST SP 800-171.
NIST 800-171 requires organizations to develop a System Security Plan (SSP) describing their program and a Plan of Action and Milestones (POAM) outlining how and when they would mitigate any gaps in their program. A new rule that goes into effect Nov. 30th also requires contractors to submit the results of a self-assessment and a score for their program into a government database of supplier’s performance information.
Some organizations will be required to undergo government assessment and validation of their program as well. Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contact.
How does this impact you?
Every defense contractor must meet the requirements of a Basic Assessment – a self-assessment using the organization’s existing System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate their own score and then entering it on SPRS. The SPRS entry will consist of six fields: SSP name, CAGE code associated with the plan, a brief description of the plan architecture, date of the assessment, total score, and the date a score of 110 will be achieved. If you already have an SSP and POAM, it should take less than an hour to complete the Basic Assessment.
Some organizations will be required to undergo further assessments as described below:
- Medium Assessment: The DoD estimates that 200 unique organizations will go through a Medium Assessment each year, based on the need for a medium level of confidence in how the organization is handling CUI. It will require a DoD representative, most likely from the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), onsite at the organization’s facilities conducting a review of their Basic Assessment, a thorough document review, and holding discussions with the contractor to obtain additional information or clarification as needed.
- High Assessment: The DoD estimates that 110 unique organizations will go through a High Assessment each year. It will be similar to the Medium Assessment, with the addition of the government performing “verification, examination, and demonstration” of the SSP to validate that NIST SP 800-171 security requirements have been implemented as described.
Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contact.
These new requirements (and increased scrutiny of old requirements) can potentially impact you as a defense contractor in a number of ways:
- You will lose the ability to bid on contracts if you do not meet these requirements.
- If you can’t demonstrate to your prime contractors that you meet the requirements, you may lose business to another subcontractor who can.
- If you make a claim that doesn’t hold up to government scrutiny, you could potentially face legal action.
- You will need to spend money and time upgrading your programs to meet the requirements.
- You don’t have a lot of time to prepare for this. Prime contractors are already asking questions of their subcontractors, and the government will start rolling out these new requirements Nov. 30th.
What can you do to prepare?
Develop or update your cyber program. Defense contractors should consider hiring expertise now to help them with their assessment and score.
We offer the most comprehensive solution to help you write policies, implement technology, document your practices, assess business risk and put into place the cyber program management needed to ensure you mature to meet the increasing demands on the Defense Industrial Base.
Ardalyst approaches this problem differently. We recognize this isn’t simply a technical problem with a technical solution. Our team combines the technical proficiency of system administration and cyber security experts with seasoned business risk and operations analysts to provide a comprehensive solution to a multi-faceted problem. We examine not just the technical controls that make up your cybersecurity defenses but apply business risk assessment to your unique drivers and the way you want to position yourself within your market.
DFARS Compliance Services
DFARS Provision 252.204-7019 Essentials Evaluation – Free
We will interview your key staff to gain an understanding of your cybersecurity program and the controls you currently have in place. We will provide you with a preliminary score out of 110 controls and a summary report of our findings which can be incorporated into your SSP and POAM. (4 hours)
DFARS Provision 252.204-7019 Comprehensive Evaluation (includes a complimentary CMMC Level 3 Pre-Evaluation) – $9,500
This includes everything in the Essentials Evaluation, plus a CMMC Level 3 Pre-Evaluation. We will provide you with recommendations and a roadmap for remediating existing gaps. (1-2 weeks)
DFARS Provision 252.204-7019 Transformational Evaluation (includes a complimentary CMMC Level 3 Evaluation) – $19,500
This includes everything in the Comprehensive Evaluation plus and executive workshop to help your leadership team understand your program roadmap. We will provide assistance in drafting your SSP and POAM describing your process and timeline for eliminating gaps and vulnerabilities in your system. (1 month)
NIST 800-171 / CMMC Cybersecurity Pilot Program – $24,500
Start your CMMC journey now with a pilot of your full cyber program. Migrate a sample of 5 people from your organization to Microsoft GCC-High and receive everything in the Transformational Evaluation plus:
- Full software licenses
- Proof of our solution and environment
- An outline of roles and responsibilities
- Validation of your user experience
- A test bed for reducing adoption risk and allow users to get onto a unified platform sooner
(6-8 weeks)