Assessing Contractor Implementation of Cybersecurity Requirements

  • Assessing Contractor Implementation of Cybersecurity Requirements

    To achieve a certain CMMC level, a DIB company must demonstrate both the institutionalization or maturity of processes and the implementation of practices that correspond to that level. CMMC assessments are conducted by CMMC accredited third-party assessment bodies (C3PAO). Upon completion of a cmMC assessment, a company receives certification from an independent CMMC Accreditation Body (AB) at the appropriate CMMC level (as described in the CMMC model). The certification level is documented in sprS to allow verification of a supplier`s certification level and currency (i.e., no more than three years) prior to entering into a contract. For more information about CMMC and a copy of the CMMC model, see www.acq.osd.mil/cmmc/index.html. To submit the basic assessment, the contractor must complete 6 fields: name of the system security plan (if more than one system is involved); CAGE code associated with the plan; a brief description of the architecture of the plan; the date of the assessment; Total score; and the date on which a score of 110 is obtained. All this data comes from the baseline assessment itself, the existing system security plan and the action plans. The contractor chooses the date on which the last plan of the Action Start Printed Page 61512 is completed as the date on which a score of 110 is obtained. The effort required to submit a baseline assessment for posting to spric is estimated at 15 minutes per entity at a Companion Level 2 rate of pay (0.25 hours * $99.08/hour = $24.77/assessment)). Therefore, the total cost per exam per company is approximately $74.31 ($49.54 + $24.77). The DoD releases a preliminary rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD assessment methodology and cybersecurity maturity model certification framework to assess contractors` implementation of cybersecurity requirements and improve the protection of unclassified information within the DoD supply chain. c) In addition to the requirements of FAR 17.207(c), do not exercise an option until: Prompts that include DFARS 252.204-7021 also indicate the required CMMC level providers. Defence contractors must be certified at the required CMMC level at the time of award and maintain this certification for the duration of the contract.

    Contractors must also ensure that subcontractors are certified to the appropriate level of the CMMC before subcontracting. In addition, subcontractors may attempt to achieve a certain cmMC level for their entire corporate network or specific industries, depending on where protected information is processed, stored, or transmitted. (a) Until 30 September 2025, in tenders and contracts or mission orders or supply contracts, including those using the procedures of Part 12 of the FAR for the purchase of commercial items, with the exception of tenders and contracts or contracts exclusively for the purchase of commercially available standard items (COTS), whether the requirement document or specification requires a contractor to have a certain CMMC level. To implement a phased deployment of CMMC, the inclusion of a CMMC requirement in a tender must be approved by OUSD (A&S) during this period. Subcontractors at all levels should be aware of this requirement and ensure compliance in order to maintain eligibility for scholarships. The evaluation uses a standard evaluation methodology that reflects the net effect of the security requirements of NIST SP 800-171 that have not yet been implemented by a contractor and three levels of evaluation (basic, medium and high) that reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the evaluation. A basic assessment is a self-assessment performed by the contractor, while medium or high assessments are performed by the government. The evaluations shall be carried out for each information system of the covered contractor relevant to the call for tenders, the contract, the mission order or the supply contract. This rule is an important part of the cybersecurity framework[4] and builds on the existing cybersecurity requirements of the FAR and DFARS clauses by (1) adding a mechanism to immediately begin assessing the current state of implementation by NIST SP 800-171 contractors in their CUI-processing information systems; and (2) require contractors and subcontractors to take steps to fully implement existing cybersecurity requirements and additional processes and practices to protect the CFI and CUI in their information systems for review under the CMMC Framework. There is an urgent need for the Department of Defense to immediately begin assessing where vulnerabilities exist in its supply chain and take steps to address these deficiencies, which can be achieved by requiring contractors and contractors who manage doD CUI in their information systems to conduct a NIST SP 800-171 baseline assessment.

    Although this rule contains a late effective date, contractors and subcontractors required to implement NIST SP 800-171 in accordance with DFARS clause 252.204-7012 are encouraged to promptly conduct and submit a self-assessment as described in this rule to facilitate the Department`s assessment. The rule is not subject to the requirements of E.O. 13771 because this rule is issued in connection with a U.S. national security function. CMMC certification is only required at the time of award, it is not necessary to complete it beforehand. For example, entering the self-assessed score allows a contracting authority to check in SPRS whether the potential winner of the award has the current NIST SP 800-171 DoD assessment methodology before awarding the contract. External evaluators are appointed to ensure that DIB companies adhere to the institutionalization or maturity of processes and the implementation of practices that correspond to this level. In addition, given the size and scope of the DIB sector, the ministry cannot expand its organic cybersecurity assessment capacity to conduct on-site assessments of approximately 220,000 Ministry of Defense contractors every three years. As a result, the Department`s organic evaluation capacity is best suited to conduct targeted assessments for a subset of DoD contractors. This rule requires government contractors to implement new cybersecurity requirements and improve the protection of unclassified information throughout the Department of Defense`s supply chain. Below is a comprehensive guideline for following the new process.

    After a contract is awarded, the DoD may decide to conduct a medium or high evaluation of a bid based on the criticality of the program or the sensitivity of the information processed by the contractor. As part of the medium and high scores, DoD auditors review the contractor`s system security plan description on how each NIST SP 800-171 requirement is met and identify any description that may not properly meet the security requirements. The Contractor must provide the DoD with access to its facilities and personnel if necessary and must prepare/participate in the assessment conducted by the DoD. As part of a high rating, a contractor is asked to demonstrate their system security plan. The DoD will publish the results in SPRS. The rule duplicates, does not overlap or conflict with other federal rules. On the contrary, this rule validates and verifies contractors` compliance with existing cybersecurity requirements in FAR 52.204-21 and DFARS 252.204-7012 and ensures that the entire DIB industry has the appropriate cybersecurity processes and practices in place to adequately protect FCI and CUI during the performance of DoD contracts. On September 29, 2020, the Ministry of Defense issued a preliminary final rule to assess the implementation of cybersecurity requirements by contractors. The rule will affect about 220,000 DoD contractors. It encourages every DoD contractor to self-assess against the 110 NIST Special Publication (SP) 800-171 security requirements and submit their score to the DoD via the Supplier Performance Review System (SPRS). A new contractual clause requiring this requirement will appear in solicitations and other contractual actions as of November 30, 2020. (b) This subsection does not exempt from any other requirements relating to the contractor`s general physical, human, informational, technical or administrative security operations governing the protection of unclassified information, printed home page 61520, or the requirements of the National Industrial Security Program […].

القائمة الجانبية

1
×
مرحباً
يمكنك التواصل معنا الان من خلال الواتساب
نحن متوجدين !!