Government programs, and the prime contractors running them, can’t succeed without the goods and services provided by multiple tiers of suppliers worldwide. As integral participants on these programs, suppliers gain access to controlled unclassified information (CUI), covered defense information, and other sensitive information.
This circumstance makes suppliers high-priority targets for cyber-attacks that threaten national security through stolen data and intellectual property.
The Department of Defense (DoD), recognizing that its supply chain is only as strong as its weakest link, instituted Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012 in December 2017. That clause obliges contractors to self-attest that they and all of their suppliers on a DoD contract:
- Comply with the 110 security controls identified in Special Publication (SP) 800-171 from the National Institute of Standards and Technology (NIST)
- Develop and implement a System Security Plan (SSP)
- Build and execute a Plan of Actions and Milestones (POA&M) to address NIST SP 800-171 compliance shortcomings
CMMC will change routines.
Know what’s ahead.
CMMC differs from its predecessor along several vectors that up the ante for suppliers as it:
- Incorporates the security controls of NIST 800-171 and adds practices from other standards like ISO 27001
- Adds a process component meant to ensure continuous cybersecurity maturity
- Replaces self-attestation with a certification audit conducted by an approved third-party assessor
- Eliminates the air-cover provided by prime contractors because suppliers must get their own certifications
CMMC launched in early 2019. Suppliers will see it in select Requests for Information and Requests for Proposals beginning in 2020, and the program will be fully phased in by 2026. Over that period, suppliers will have to account for both the current DFARS 252.204-7012 clause and CMMC.
The time to prepare is now. DoD suppliers that wait may find themselves at a significant competitive disadvantage.