Although Department of Defense (DoD) NIST cybersecurity standards have been mandated for contractors who handle Covered Defense Information (CDI) by Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 since December 31, 2017, the regulations have by and large not been implemented.
Now the DoD is stepping up enforcement of its existing regulations and adding new and stricter requirements to protect sensitive but unclassified information across the defense industrial base.
The newly released draft of NIST SP 800-171B1 prescribes “enhanced requirements” that will apply to selected critical programs and high value assets. In conjunction with recent updates to the Defense Contract Management Agency (DCMA) Contractor Purchasing System Review (CPSR) Guidebook2 adding review of contractor cybersecurity compliance and supply-chain cyber risk management practices, and a planned rollout of 3rd party compliance certification standards, defense contractors face increased pressure to improve cyber practices across the entire industrial base.
“We’re seeing more and more companies start to realize that merely having a plan is no longer enough,” said Ted Liu, Director of the Cyber Collaboration Center, a non-profit focused on building awareness and providing educational resources to the defense contracting community, including a series of no-cost thought leadership webinars on DFARS 7012 topics. “To stay ahead of the curve on compliance, all defense contractors should tighten up their basic cybersecurity practices. And at a minimum, for those who are handling CUI or CDI, the DoD is making it clear that it’s time to fully implement all of the DFARS 7012 requirements, including everything listed in NIST 800-171.”
DoD now plans to establish a certification program in which 3rd party assessors will validate contractor compliance within a multi-level model referred to as the Cybersecurity Maturity Model Certification (CMMC). Draft guidelines for CMMC are expected to be released later this year.
A free webinar on these topics, DFARS 7012 Webinar #10 “Upcoming DFARS Cybersecurity Audits and 3rd Party Certifications: DCMA CPSR / NIST 800-171B / CMMC” will be broadcast via live streaming on Wednesday, July 17 at 4:00 PM ET. Jeffery A. White, C.P.M, CEO and founder of leading DCMA CPSR Audit Consulting firm J.A. White & Associates will discuss strategies to prepare for new DCMA CPSR cybersecurity audits, and DFARS / NIST cybersecurity compliance experts from eResilience will provide critical updates on the new NIST 800-171B draft and the upcoming Cybersecurity Maturity Model Certification (CMMC) standard that could impact all DoD contractors.
Source: Cyber Collaboration Center