Defense Federal Acquisition Regulation Supplement, also referred to as DFARS, is a set of restrictions utilized by the US Department of Defense to protect Controlled Unclassified Information (CUI) from foreign advisories. It applies to all defense contractors and their subcontractors in any supply chain. It refers to materials, components, and specifications for these items and any other sensitive information such as purchasing information, processing information and commercial details. This means that all Department of Defense contractors who work with unclassified information must meet the DFARS minimum security standards, and to meet compliance must structure their systems, hardware, policies and practices to protect CUI.
What Are DFARS Requirements?
The current system is based on a set of recommendations referred to as NIST SP– 800 – 171. This is a set of 110 different recommendations within 14 categories, established by the National Institute of Standards and Technology. To use NIST SP 800 – 171, there must be a business assessment against these 110 recommendations, a system security plan (SSP) that describes the policies and procedures the company will use to protect its and its customers controlled unclassified information (CUI). These practices are followed by a program of actions and milestones (POAM), which is an action plan to achieve full compliance with all 110 recommendations. Under the current system, RP Abrasives is in compliance and is working to complete all items for the Plan of Actions & Milestones (POAM) mandated by the DoD.
The Department of Defense (DoD) is taking additional and more stringent steps in an effort to protect U.S. defense manufacturers from cyber threats with an initiative called the Cybersecurity Maturity Model Certification (CMMC). This will establish a new framework for defense contractors to become certified compliant, incorporating the requirements of NIST SP 800-171 and several other existing regulations. CMMC will have a verification component by a third-party auditor. It will also encompass multiple maturity levels and will be applied at the bidding stage of a DoD contract.
What Are CMMC Requirements?
Contractors will be evaluated based on their documentation and policies, as well as the implementation of technical controls. Depending on the outcome of the evaluation, manufacturers will receive a CMMC certification ranging from Level 1 (Basic) through Level 5 (Advanced). This comes into play at the bidding stage, not at the contract signing – this is a preliminary qualification required before bidding on a contract. RP Abrasives has already begun work to comply with CMMC requirements when they take effect.
Certification Level Descriptions
Level 1 – Practices are Performed
● Basic cybersecurity, highly achievable for small companies
● Limited resistance against malicious actions and data exfiltration
Level 2 – Practices are Documented
● Inclusive of cybersecurity best practices
● Resilient against unskilled threats
● Minor resistance against malicious actions and data exfiltration
Level 3 – Processes are Followed and Maintained
● Coverage of NIST SP 800-171 rev 1 controls
● Practices beyond scope of CUI protection
● Resilient against moderately skilled threats
● Moderate resistance against malicious actions and data exfiltration
● Extensive understanding of cyber assets
Level 4 – Processes are Reviewed, Resources and Improved
● Comprehensive cybersecurity practices in place
● Resilient against advanced skilled threats
● Increased detection and resistance against data exfiltration
● Full and continuous knowledge of cyber assets
Level 5 – Continuous Improvement Across Business
● Highly advanced cybersecurity practices in place
● Resilient against the most advanced threats
● Comprehensive detection and resistance against data exfiltration
● Autonomous and continuous knowledge of cyber assets
To prepare for CMMC, contractors should establish an SSP and a Plan of Action to implement, with NIST SP 800-171 requirements as a starting point. Current environments will need to be reconfigured to accommodate these changes, and all Plan of Action items must be addressed. The end goal will be to increase the overall level of cybersecurity comprehensiveness by implementing practices and updating processes throughout the company. As of January 2020, the CMMC framework will be implemented by the DoD and certification requirements for contracts will begin as early as Fall 2020.
Learn About Our Cybersecurity Compliance
RP Abrasives is actively working to become CMMC-certified when requirements are finalized and auditors are fully trained and certified. In the meantime, we are proud to be NIST SP 800 – 171 compliant and would be happy to discuss with you any DoD contract requirements that we may be able to help with. Contact us today!