Since 12/31/2017, The DoD has expected the supply chain to conform with the NIST 800-171 cybersecurity standards. The expectation, including the flow down clause for subcontractors, has been in the Defense Federal Acquisition Regulations (DFARS) 252.204-7012 section of contracts. NIST 800-171 requirements include Physical, Technical and Administrative security controls across 14 families and require companies to have a System Security Plan (SSP), Plan of Actions & Milestones (POA&M) and Incident Response Plan. Companies were able to self-attest that they are conforming. The DoD was growing more and more concerned around the threat of cyber-attacks and estimating that less than 20% of the supply chain was meeting the standards. Therefore, the Cybersecurity Maturity Model Certification (CMMC) was created. Rather than self-attest, there will be a third-party assessment and certification process to hold the supply chain accountable to the standards.
NJMEP Can Help
DoD Cyber Interim Rule Assessment
- Complete the assessment against the 110 controls
- Identify your gaps and receive some guidance with what needs to be done
- Calculate your score and get your information uploaded to the SPRS database
DoD Cyber Assessment and Full Remediation Support
- Complete the assessment against both the 110 NIST 800-171 controls and the 130 CMMC Level 3 controls, create your POA&M and work through remediation
- Continuous Monitoring and Threat Detection and prioritization
- Leverage Policy and Training templates for policies and trainings you need to create
- Leverage secure portal to view sample documents and upload your artifacts for review
- Work with Subject Matter Experts to guide you through and validate the work being done
- Track your progress via your portal
NIST MEP, NJMEP leadership and our cybersecurity resource were involved in the creation of the CMMC and NJMEP is the implementation partner in a DoD OEA grant to help companies become compliant. NJMEP has not only been hosting workshops and now webinars for over a year to educate companies about these requirements but also assisting with a gap analysis and remediation to the standards. The average score we see for companies completing a gap analysis against the NIST 800-171 controls is less than 30%. It has been taking companies with someone focused on this, working with our resource, between six months and 1 year to complete. Our resource provides cyber protection for the Army and intelligence communities and developed a scalable solution specifically for small to mid-size companies. There is also a limited number of partial funding credits available from the DoD OEA grant to help offset some of the cost of a Full Remediation project.
On September 29th 2020, the DoD announced an Interim Rule that requires DoD contractors to complete a NIST 800-171 assessment and upload information into the Supplier Performance Risk System (SPRS) database. Starting November 30th, 2020, Contracting Officers must confirm that suppliers have an active SPRS Assessment prior to awarding a new contract or exercising an option under an existing contract.
The assumption is that companies have already completed a NIST 800-171 assessment, created a Plan of Actions & Milestones (POA&M), have an estimated timeline for completion of outstanding items, and can calculate their score using the DoD scoring methodology.