DFARS, CMMC, and what you need to know

Information security has gotten real for any manufacturers or suppliers who work with the military or defense contractors as a portion or all of their business. Starting back in 2016, the U.S. Department of Defense (DoD) published their first version of the Defense Federal Acquisition Regulations Supplement, or DFARS, which defines the obligations of DoD contractors on safeguarding digital information. Since the initial release of rules on data security came out some five years ago, the DoD has regularly updated and modified requirements on storing, transmitting, and otherwise processing “controlled information”, i.e. sensitive information with military applications.

Starting around 2018, the DFARS mandate became required of all members of the DoD supply chain. While providers had to sign off on compliance in order to win DoD-related business, there had been no substantial moves by the DoD to ensure that their suppliers were truly compliant. In early 2019, after seeing suppliers falling victim to cyber-attacks due to non-compliant security practices, Under Secretary for Defense Ellen M. Lord issued a memo to defense acquisition leaders her intent to audit the DoD supply chain for DFARS compliance. The memo states that she has called upon the Defense Contract Management Agency (DCMA) to audit all prime contractors for compliance and assess their processes for compliance with the primes’ tier one suppliers.

The DoD developed an assessment methodology and framework to assess contractor implementation of cybersecurity requirements, both of which are being implemented: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework. The CMMC version 1.0 was released on January 31, 2020, and encompasses multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The good news is that CMMC requirements are not very different than NIST SP 800-171, so in practice, the CMMC is mostly a way of forcing compliance with the existing rules.

On September 30, 2020, the DoD released an interim rule to DFARS which goes into effect on November 30th, 2020. These requirements now not only apply to prime contractors, but it also rolls down to subcontractors who will be required to have a basic self-assessment submitted if their information system is subject to DFARS 252.204-7012 by having Controlled Unclassified Information (CUI).

While daunting, we have good news – Suite3 has been mapping our solutions to the NIST 800-171 framework, so all of our blog articles about Managed Detection and Response and Application Whitelisting are now more relevant than ever. If you need help assessing your IT readiness for DFARS requirements, let’s have a conversation.