What DoD suppliers need to know about preparing for CMMC
With CMMC – Cybersecurity Maturity Model Certification – the burden falls to suppliers to confirm cybersecurity compliance under existing DFARS and NIST terms. Also, supplier compliance will face third-party audits, and a process component evaluating effectiveness through cybersecurity maturity. Suppliers can’t wait until for the contract is awarded; compliance is a prerequisite to bid participation. Compliant suppliers can benefit competitively as the least-risk partner to prime bidders.
Consider how you will:
Government programs, and the prime contractors running them, can’t succeed without the goods and services provided by multiple tiers of suppliers worldwide. As integral participants on these programs, suppliers gain access to controlled unclassified information (CUI), covered defense information, and other sensitive information.
This circumstance makes suppliers high-priority targets for cyber-attacks that threaten national security through stolen data and intellectual property.
The Department of Defense (DoD), recognizing that its supply chain is only as strong as its weakest link, instituted Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012 in December 2017. That clause obliges contractors to self-attest that they and all of their suppliers on a DoD contract:
CMMC will change routines.
Know what’s ahead.
CMMC differs from its predecessor along several vectors that up the ante for suppliers as it:
CMMC launched in early 2019. Suppliers will see it in select Requests for Information and Requests for Proposals beginning in 2020, and the program will be fully phased in by 2026. Over that period, suppliers will have to account for both the current DFARS 252.204-7012 clause and CMMC.
The time to prepare is now. DoD suppliers that wait may find themselves at a significant competitive disadvantage.
How Exostar can help
Whether completing a NIST 171 self-assessment or preparing for a CMMC audit, suppliers can benefit through risk-management solutions that:
Take action now. Get ahead of the curve for future business with government prime contractors.
Be prepared. Get the right tools:
How NIST SP 800-171 Affects Suppliers
Meeting the requirements of DFARS 252.204-7012 hasn’t presented a particularly heavy lift to suppliers for two reasons:
Change Is Coming
As a result of these circumstances, suppliers will feel the impacts of a pair of DoD initiatives: