As the geopolitical environment continues to evolve, your duties as a member of the Defense Industrial Base become increasingly important. It is increasingly clear that cyberspace will be of particular interest to adversaries of the United States. In response, the Department of Defense expects its contractors to defend against cyberattacks at any time. As a DIB contractor, you are in a privileged position. Whether you’re new to the industry or have several contracts under your belt, it is always a good idea to educate yourself on what the DoD requires of you. Failure to stay up to date could put your business at risk, and result in serious consequences for the US Defense apparatus.
When you’re busy with day-to-day operations, you may find it difficult to keep up with the DoD’s cybersecurity policies. Luckily, there are a few key concepts that will give you a general understanding of what you need to do. Understanding DFARS, NIST 800-171, and cmmc compliance will give you the framework you need to protect your business and country in cyberspace.
Defense Federal Acquisition Regulation Supplement
The Defense Federal Acquisition Regulation Supplement is the bedrock of DoD cybersecurity policy. If you are not already familiar, think of it as the rule book for contractors who provide goods and services to the DoD. Doing business with the US Government may put you in contact with sensitive forms of information that criminals and adversaries wish to acquire. The DFARS calls this Controlled Unclassified Information (CUI), and it uses a document called NIST 800-171 to instruct contractors on how to protect it.
NIST 800-171
National Institute of Standards and Technology Special Publication 800-171 is a document that defines appropriate measures to protect CUI under DFARS. In other words, NIST 800-171 will explain the practices and measures necessary for you to protect your contracts and the interests of the Defense Department.
Since the DoD dedicates more strategic resources towards cyberspace, it is also increasing its oversight into the security practices of its contractors. In the past, DIB contractors were generally allowed to self-certify the integrity of thier systems. Today, contractors like yourself are preparing for an added layer of protection known as CMMC compliance.
Compliance With CMMC 2.0
CMMC stands for Cybersecurity Maturity Model Certification. Many contractors find that CMMC is the most confusing part of thier cybersecurity obligations to the Defense Department. While this is partially due to constantly changing information, it also has to do with the varying nature of business within the DIB.
Simply put, CMMC 2.0 does two things. It primarily adds a layer of oversight so that the DoD can be sure that contractors are in compliance with NIST 800-171 under DFARS. Additionally, it establishes a 3 tier system that ranks contractors based on thier exposure to sensitive information. Depending on the tier that your firm falls under, you will have to affirm your compliance by self-certification, third-party verification, or by an assessment from the DoD itself.
While these concepts are a great place to begin, never underestimate the benefit of a quality compliance management service to ensure that your systems are totally up to date.