Defense Federal Acquisition Regulation Supplement, or DFARS, is a set of restrictions utilized by the US Department of Defense to protect Controlled Unclassified Information (CUI) from foreign advisories. It applies to all defense contractors and their subcontractors in any supply chain. It refers to materials, components, and specifications for these items and other sensitive information such as purchasing, processing, and commercial details. All Department of Defense contractors who work with unclassified information must meet the DFARS minimum security standards. To meet compliance, they must structure their systems, hardware, policies, and practices to protect CUI.
The current system is based on a set of recommendations referred to as NIST SP– 800 – 171. This is a set of 110 recommendations within 14 categories, established by the National Institute of Standards and Technology. To use NIST SP 800 – 171, there must be a business assessment against these 110 recommendations and a system security plan (SSP) that describes the policies and procedures the company will use to protect its, and its customers controlled unclassified information (CUI). These practices are followed by a program of actions and milestones (POAM), an action plan to comply with all 110 recommendations fully. Under the current system, RP Abrasives complies and works on completing all items for the Plan of Actions & Milestones (POAM) mandated by the DoD.
The Department of Defense (DoD) is taking additional and more stringent steps to protect U.S. defense manufacturers from cyber threats with an initiative called the Cybersecurity Maturity Model Certification (CMMC). This will establish a new framework for defense contractors to become certified compliant, incorporating the requirements of NIST SP 800-171 and several other existing regulations. CMMC will have a verification component by a third-party auditor. It will also encompass multiple maturity levels and be applied at a DoD contract's bidding stage.
Contractors will be evaluated based on their documentation and policies and the implementation of technical controls. Depending on the outcome of the evaluation, manufacturers will receive a CMMC certification ranging from Level 1 (Basic) through Level 5 (Advanced). This comes into play at the bidding stage, not at the contract signing - this is a preliminary qualification required before bidding on a contract. RP Abrasives has already begun work to comply with CMMC requirements when they take effect.
Level 1 - Practices are Performed
- Basic cybersecurity, highly achievable for small companies
- Limited resistance against malicious actions and data exfiltration
Level 2 - Practices are Documented
- Inclusive of cybersecurity best practices
- Resilient against unskilled threats
- Minor resistance against malicious actions and data exfiltration
Level 3 - Processes are Followed and Maintained
- Coverage of NIST SP 800-171 rev 1 controls
- Practices beyond the scope of CUI protection
- Resilient against moderately skilled threats
- Moderate resistance against malicious actions and data exfiltration
- Extensive understanding of cyber assets
Level 4 - Processes are Reviewed, Resources and Improved
- Comprehensive cybersecurity practices in place
- Resilient against advanced skilled threats
- Increased detection and resistance against data exfiltration
- Full and continuous knowledge of cyber assets
Level 5 - Continuous Improvement Across Business
- Highly advanced cybersecurity practices in place
- Resilient against the most advanced threats
- Comprehensive detection and resistance against data exfiltration
- Autonomous and continuous knowledge of cyber assets
To prepare for CMMC, contractors should establish an SSP and a Plan of Action to implement, with NIST SP 800-171 requirements as a starting point. Current environments must be reconfigured to accommodate these changes, and all Plan of Action items must be addressed. The end goal will be to increase the overall level of cybersecurity comprehensiveness by implementing practices and updating processes throughout the company. As of January 2020, the CMMC framework will be implemented by the DoD, and certification requirements for contracts will begin as early as Fall 2020.
Learn About Our Cybersecurity Compliance
RP Abrasives is actively working to become CMMC-certified when requirements are finalized and auditors are fully trained and certified. In the meantime, we are proud to be NIST SP 800 – 171 compliant and would be happy to discuss with you any DoD contract requirements that we may be able to help with. Contact us today!