Cybersecurity For Defense Contractors
Prime Contractors: Every prime contractors is subject to an assessment on NIST 800-171 a compliance by DCMA (Defense Contractor Management Agency). The compliance assessment consists of two stages - a medium-Level assessment and a follow-on High-Level assessment (also known as a High Confidence Assessment).
Note: Because of current government travel restrictions due to COVID-19, most of these assessments are being carried out virtually, but some portions of the assessments are conducted live on-site an assessor.
Being properly prepared for these assessments is crucial. There are 110 NIST controls you will be assessed on and failing to satisfy them results in points being deducted from your overall score. All scores are published in the SPRS (Supplier Performance Risk System) which is the database that federal customers refer to when determining if a contractor is practicing compliance a due diligence. Lower scores may result in not being selected in a competitve bidding environment. It is important to understand what DCMA looks for. It's a lot more than checking boxes and providing generic policies.
Sub-Contractors: Sub Contractors are not subject to government auditing on NIST 800-171a by DMCA at this time (Note: if you prime on any other contract, you will be audited). This does not mean that sub-contractors need not be as prepared as a prime contractor - it is incumbent on every government contractor to meet NIST 800-171a compliance regardless of whether you will be subject to a governement audit. Prime contractors are subject to the flow-down clause which means they are responsible nevertheless for non-compliance by their sub-contractors. This may influence their selection choices for team partners.
Cybersecurity Maturity Model Certification (CMMC): This is changing the compliance landscape substantially. Regardless of whether are a prime ir subcontractor, any company wanting to do business with the government must become CMMC certified. Some new contacts already specify this and eventually, all will. There are five levels and FRP's ad contracts will specify which level must be met. Any contract involving CUI (Controlled Unclassified Information) will need to meet CMMC Level 3 at a minimum. CMMC Level 3 builds upon all of the 110 controls of NIST 800-171 which further substantiates he need to be fully NIST compliant as described above. The CMMC program is still evolving. but the time so start preparing to be certified is now.
For further information, please contact LogiCore.