In an effort to address widely unmet requirements for protecting sensitive but unclassified information across the defense industrial base, the DoD has begun stepping up enforcement of existing cybersecurity regulations and, in some cases, making requirements even stricter. The newly released draft of NIST SP 800-171B1 prescribes “enhanced requirements” that will apply to selected critical programs and high-value assets. In conjunction with recent updates to the Defense Contract Management Agency (DCMA) Contractor Purchasing System Review (CPSR) Guidebook2 adding review of contractor cybersecurity compliance and supply-chain cyber risk management practices, and a planned rollout of 3rd party compliance certification standards, defense contractors face increased pressure to improve cyber practices across the entire industrial base.
“We’re seeing more and more companies start to realize that merely having a plan is no longer enough,” said Ted Liu, Director of the Cyber Collaboration Center, a non-profit focused on building awareness and providing educational resources to the defense contracting community, including a series of no-cost thought leadership webinars on DFARS 7012 topics. “To stay ahead of the curve on compliance, all defense contractors should tighten up their basic cybersecurity practices. And at a minimum, for those who are handling CUI or CDI, the DoD is making it clear that it’s time to fully implement all of the DFARS 7012 requirements, including everything listed in NIST 800-171.”
Also read: What’s Next in Cybersecurity?
Adherence to NIST cybersecurity standards is mandated by DFARS 252.204-7012 for contractors who handle Covered Defense Information (CDI), but the regulations have largely remained unimplemented. Now the DoD is planning to establish a certification program in which 3rd party assessors will validate contractor compliance within a multi-level model referred to as the Cybersecurity Maturity Model Certification (CMMC). Draft guidelines for CMMC are expected to be released later this year.
Also read: Bringing the CISO and CIO Together
A new no-cost webinar on these topics, DFARS 7012 Webinar #10 “Upcoming DFARS Cybersecurity Audits and 3rd Party Certifications: DCMA CPSR / NIST 800-171B / CMMC” will be broadcast via live streaming on Wednesday, July 17 at 4:00 PM ET. In this Webinar, Jeffery A. White, C.P.M, CEO, and founder of leading DCMA CPSR Audit Consulting firm J.A. White & Associates will discuss strategies to prepare for new DCMA CPSR cybersecurity audits, and DFARS / NIST cybersecurity compliance experts from eResilience will provide critical updates on the new NIST 800-171B draft and the upcoming Cybersecurity Maturity Model Certification (CMMC) standard that could impact all DoD contractors.