The new Cybersecurity Maturity Model Certification (CMMC) self-assessment rule will go into effect November 30. Department of Defense contractors must comply with the new rules to enter into new contracts.
Government contractors with a DFARS 252.204-7012 clause in their contracts have a requirement to conduct a self-assessment of NIST SP 800-171 standards and enter their results into the Supplier Performance Risk System by November 30, 2020. Three questions may come to mind:
- What is the DFARS 252.204-7012 clause?
- What are the NIST SP 800-171 standards?
- What is the fastest way to accomplish this task?
DFARS 252.204-7012 covers “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
It defines the following very important terms:
- Adequate security
- Compromise
- Contractor attributional/proprietary information
- Controlled technical information
- Covered contractor information system
- Covered defense information
- Cyber incident
- Forensic analysis
- Information system
- Malicious software
- Media
- Operationally critical support
- Rapidly report
- Technical information
It goes on to provide minimum standards for adequate security in Cloud and non-Cloud computing environments. Cloud security standards include NIST SP 800-171, FedRAMP. It details the requirement for reporting, within 72 hours, cyber incidents, malicious software, evidence preservation, forensics analysis, and damage assessment information to the DOD through the External Certification Authorities. The report should include (as a minimum, and not limited to) information identifying compromised computers, servers, specific data, and user accounts.
NIST SP 800-171 provides guidance on how to safely manage Controlled Unclassified Information (CUI). CUI is sensitive federal-released non-military data. The standard encompasses 14 CUI data security compliance categories:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
First, CUI data must be identified and classified per the 14 categories. Then your company must develop, implement, and test the controls set for each category. These controls may include system monitoring, multi-factor authentication, backup solutions, and other tools and methods. You will need to develop a system for risk assessment and controls. All of this results in a security plan which is rolled out throughout the company or divisions based on their access to CUI.
There are various tools and methods to expedite the assessment of your company’s current posture as it relates to the DFARS 252.204-7012 clause and addressing the 110 Security Requirement in the NIST SP 800-171 self-assessment Scoring Template by the November 30 deadline.
Step 1: Complete the self-assessment. A contractor is awarded a score of 110 if all security requirements are implemented. A negative score may result from the weighted score of the requirements not currently implemented.
Step 2: Create an Action Plan. This plan applies to each unimplemented security requirement and describes how and when the security requirement will be met. You should make provisions for managing compliance, i.e., policy approval, repositories for policy documents, monitoring system security, staff training, and NIST SP 800-171 compliance monitoring.
Step 3: Document the NIST SP 800-171 DoD Assessment Results. The results are posted in the Supplier Performance Risk System (SPRS). Procurement Integrated Enterprise Environment (PIEE) registration is required.
Step 4: Implement your Action and Compliance Management Plans. This is a complex process that requires project management and ongoing monitoring.
Let us help with our Compliance Assessment and Management services. If you need help getting ready for the Cybersecurity Maturity Model Certification self-certification, contact us today for a no-cost consultation with ZAG’s Compliance Analysts.