Impacts of Current (NIST SP 800-171) and Future (CMMC) Standards
To boost cybersecurity across the supply chain, DoD has been raising compliance standards and stepping up audits. In this climate of heightened scrutiny, smart verification solutions are key to assuring compliance. OEMs can, and are, employing these products to reduce risk to their teams while saving time and lowering risks associated with validating cybersecurity to DoD standards.
Consider how you will:
The Department of Defense (DoD) created Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012 to better protect controlled unclassified information (CUI), covered defense information, and other sensitive data from compromise. The clause places responsibility for stronger cybersecurity across the DoD supply chain squarely on the shoulders of prime contractors. It requires them to meet all of the following specifications while ensuring all of direct and indirect suppliers do as well:
DFARS 252.204-7012 allows prime contractors and their suppliers to self-assess their status, and primes can self-attest to the results.
Collaboration is key.
Be prepared.
Between 2020 and 2026, prime contractors will have to manage some programs that include the current DFARS clause with its NIST SP 800-171 self-assessment and self-attestation. They will also have to handle flow-down requirements to suppliers, and others that require CMMC third-party-granted certifications for all participating companies.
In either case, prime contractors must understand the cybersecurity capabilities and maturity of all their suppliers. Primes will do well to empower their suppliers with the tools to self-assess their status and prepare to successfully pass an audit. Close collaboration will be critical for securely sharing information with suppliers.
Complexity, and the stakes, are much higher. The level of effort necessary to collaborate securely and efficiently is way beyond standard operating procedure for most organizations.
Under DoD’s tightened cybersecurity standards, smart tools will be essential for streamlining practices and processes while preserving operational efficiency.
Exostar can help. Find out how.
How Exostar can help
Preserve operational efficiency while compliantly securing your supplier network. With Partner Information Manager (PIM) and ForumPass Defense (FPD), OEMs can:
Don’t wait to better assure your supply chain. Get the right tools:
Partner Information Manager (PIM)
Transitioning from NIST SP 800-171 to CMMC
DFARS clause 252.204-7012 went into effect in December 2017 and remains in place today. However, CUI exfiltration remains a significant issue, and DoD audits of select prime contractors have confirmed substantial shortcomings with NIST SP 800-171 compliance. Audits also have revealed insufficient POA&M execution to fill the gaps.
As a result, in the near term, prime contractors can expect the DoD to conduct more frequent and thorough audits, which will place these contractors under the microscope for their own operations and those of companies across their multitier supply chains.
Over the longer term, the DoD intends to replace the legacy components of 252.204-7012 with a program it launched in early 2019, the Cybersecurity Maturity Model Certification (CMMC), which:
Although prime contractors no longer need to flow-down elements of DFARS 252.204-7012 throughout their supply chains and assume responsibility for the results, they must ensure that all of their suppliers are certified at the CMMC level identified in a DoD program solicitation. They will be unable to bid otherwise.
