Since12/31/2017, The DoD has expected the supply chain to conform with the NIST 800-171 cybersecurity standards.  The expectation, including the flow down clause for subcontractors, has been in the Defense Federal Acquisition Regulations (DFARS) 252.204-7012 section of contracts.  NIST 800-171 requirements include Physical, Technical and Administrative security controls across 14 families and require companies to have a System Security Plan (SSP), Plan of Actions & Milestones (POA&M) and Incident Response Plan.  Companies were able to self-attest that they are conforming.  The DoD was growing more and more concerned around the threat of cyber-attacks and estimating that less than 20% of the supply chain was meeting the standards.  Therefore, the Cybersecurity Maturity Model Certification (CMMC) was created.  Rather than self-attest, there will be a third-party assessment and certification process to hold the supply chain accountable to the standards.

NJMEP Can Help


DoD Cyber Assessment and Full Remediation Support

  • Complete the assessment against both the 110 NIST 800-171 controls and the 130 CMMC Level 3 controls, create your POA&M and work through remediation
  • Continuous Monitoring and Threat Detection and prioritization
  • Leverage Policy and Training templates for policies and trainings you need to create
  • Leverage secure portal to view sample documents and upload your artifacts for review
  • Work with Subject Matter Experts to guide you through and validate the work being done
  • Track your progress via your portal

Each contractor must supply the following information with respect to each system being assessed:

  • Assessment Date
  • Assessment Score
  • Assessing Scope
  • Plan of Action Completion Date
  • CAGE Code


NIST MEP, NJMEP leadership and our cybersecurity resource were involved in the creation of the CMMC and NJMEP is the implementation partner in a DoD OEA grant to help companies become compliant. NJMEP has not only been hosting workshops and now webinars for over a year to educate companies about these requirements but also assisting with a gap analysis and remediation to the standards.

The average score we see for companies completing a gap analysis against the NIST 800-171 controls is less than 30%. It has been taking companies with someone focused on this, working with our resource, between six months and 1 year to complete. Our resource provides cyber protection for the Army and intelligence communities and developed a scalable solution specifically for small to mid-size companies. 

Contact NJMEP's Cyber Security Team for More Information

"*" indicates required fields

Name*
Address*

Request Your Complimentary Assessment

Schedule Now