With CMMC – Cybersecurity Maturity Model Certification – the burden falls to suppliers to confirm cybersecurity compliance under existing DFARS and NIST terms. Also, supplier compliance will face third-party audits, and a process component evaluating effectiveness through cybersecurity maturity. Suppliers can’t wait until for the contract is awarded; compliance is a prerequisite to bid participation. Compliant suppliers can benefit competitively as the least-risk partner to prime bidders.
Consider how you will:
Government programs, and the prime contractors running them, can’t succeed without the goods and services provided by multiple tiers of suppliers worldwide. As integral participants on these programs, suppliers gain access to controlled unclassified information (CUI), covered defense information, and other sensitive information.
This circumstance makes suppliers high-priority targets for cyber-attacks that threaten national security through stolen data and intellectual property.
The Department of Defense (DoD), recognizing that its supply chain is only as strong as its weakest link, instituted Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012 in December 2017. That clause obliges contractors to self-attest that they and all of their suppliers on a DoD contract:
CMMC will change routines.
Know what’s ahead.
CMMC differs from its predecessor along several vectors that up the ante for suppliers. It:
CMMC launched in early 2019. Suppliers will see it in select Requests for Information and Requests for Proposals beginning in 2020, and the program will be fully phased in by 2025. Over that five-period, suppliers will have to account for both the current DFARS 252.204-7012 clause and CMMC.
The time to prepare is now. Suppliers that wait may find themselves at a significant competitive disadvantage.
In this environment, exfiltration of CUI has continued relatively unabated. Random audits of prime contractors revealed unacceptably poor cybersecurity hygiene, despite the DFARS clause.
How Exostar can help
Whether completing a NIST 171 self-assessment or preparing for a CMMC audit, suppliers can benefit through risk-management solutions that:
Take action now. Get ahead of the curve for future business with government prime contractors.
Be prepared. Get the right tools:
How NIST SP 800-171 Affects Suppliers
Meeting the requirements of DFARS 252.204-7012 hasn’t presented a particularly heavy lift to suppliers for two reasons:
The clause only calls for self-assessment and self-attestation, leaving ample room for interpretation and minimal external oversight
Change Is Coming
As a result of these circumstances, suppliers will feel the impacts of a pair of DoD initiatives: