Since the inception of DFARS 7012 for cybersecurity compliance, contractors have been charged with self-attesting that they meet these two main requirements:
- Provide “adequate security” for CUI in the contractor internal information systems, by implementing the National Institutes of Standards and Technology (NIST) 800-171 cybersecurity controls (safeguards)
- The ability to recognize and report cybersecurity incidents to the DoD via a special online portal
To be clear: DFARS 7012 is a good thing, as our adversaries for too long have targeted DoD contractors—the weakest link in the DoD supply chain—to steal our precious military secrets. Not sure what the cybersecurity requirements are for contracting? You can read about the NIST 800-171 Contract Clause here.
However, the winds are changing, and contractors are starting to be held accountable by the DoD for these attestations. In January 2019, Undersecretary of Defense for Acquisition, Ms. Ellen Lord, released a memo directing the Defense Contractor Management Agency (DCMA) to begin validating and verifying (V&V) contractor implementations of the DFARS 7012 requirements.
At a fantastic USC/Northrop Grumman 800-171 workshop in early July in Grand Forks, ND, the Northrop Grumman presenter indicated his organization, in consortium with several other large DoD prime contractors, had indeed begun the validation and verification process with reps from DCMA. The DCMA is doing a sort of “proof-of-concept” audit with the large primes, and then will be targeting smaller primes and subcontractors in the future. The bottom line: it’s time for all DoD contractors, prime or sub, to get ready for DoD-led audits of their internal IT processes.
But that’s not all. In May 2019 the DoD announced even broader changes to contractor cybersecurity accountability. Katie Arrington of the Undersecretary’s office presented a notional concept of a DoD-sponsored Cybersecurity Maturity Model Certification (CMMC) for DoD contractors. The CMMC is scheduled to be rolled out in phases in 2020, replete with an assessment tool independent third-party auditors will use to evaluate contractors’ implementation of DFARS 7012. Here are the basic tenets of the CMMC as Ms. Arrington presented them:
- The DoD is working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard and maturity model for cybersecurity, the CMMC.
- The CMMC levels will range from basic hygiene to “State-of-the-Art”.
- The required CMMC level (notionally between 1 – 5) for a specific contract will be contained in the RFP sections L & M, and will be a “go/no-go decision”.
- The CMMC must be semi-automated and, more importantly, cost effective enough so that Small Businesses can achieve the minimum CMMC level of 1.
- A neutral 3rd party will maintain the CMMC for the DoD.
Ms. Arrington’s presentation went on to explain that the CMMC will integrate cybersecurity controls and safeguards from multiple standards, including the NIST 800-171, ISO 27001, CMMI, etc.
Currently NIST 800-171 is the control set we are required to use, and our Totem™ cybersecurity planning tool is the best lightweight security planning tool available for DoD contractors. The tool has and will continue to adapt to include any new implementation requirements for DFARS 7012 compliance.
It appears that CMMC may shift to requiring cybersecurity “capabilities”, which are roll-ups of individual controls. As notionally described, the 800-171 controls or capabilities will be divvied up among the CMMC maturity levels, so to meet CMMC Level 1, an organization would only have to be compliant with, say, 50 of the 110 800-171 controls/capabilities. CMMC Level 5 would require implementation of all 110 controls/capabilities. In fact, Northrop Grumman has been requiring a similar Cybersecurity Maturity level attestation of its subcontractors via its Supplier Security Assessment Questionnaire since at least 2016, so some of you may be familiar with this concept.
Below is a graphical depiction of the notional CMMC maturity levels and associated controls:
It’s time your organization adjusts sail to deal with these compliance wind changes, because they are shifting rapidly. Whether it be self-attestation, a DCMA audit, or preparing for the CMMC, Totem.Tech can help your organization with DFARS compliance. Give us a call or email to discuss our service offerings.