The compliance burden is shifting.

What DoD suppliers need to know about preparing for CMMC

With CMMC – Cybersecurity Maturity Model Certification – the burden falls to suppliers to confirm cybersecurity compliance under existing DFARS and NIST terms. Also, supplier compliance will face third-party audits, and a process component evaluating effectiveness through cybersecurity maturity. Suppliers can’t wait until for the contract is awarded; compliance is a prerequisite to bid participation. Compliant suppliers can benefit competitively as the least-risk partner to prime bidders.

Consider how you will:

  • Adapt to CMMC when it fully rolls out
  • Compete when your compliance is lacking
  • Contend with audited, vs. declared, compliance

Government programs, and the prime contractors running them, can’t succeed without the goods and services provided by multiple tiers of suppliers worldwide. As integral participants on these programs, suppliers gain access to controlled unclassified information (CUI), covered defense information, and other sensitive information.

This circumstance makes suppliers high-priority targets for cyber-attacks that threaten national security through stolen data and intellectual property.

The Department of Defense (DoD), recognizing that its supply chain is only as strong as its weakest link, instituted Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012 in December 2017. That clause obliges contractors to self-attest that they and all of their suppliers on a DoD contract:

  • Comply with the 110 security controls identified in Special Publication (SP) 800-171 from the National Institute of Standards and Technology (NIST)
  • Develop and implement a System Security Plan (SSP)
  • Build and execute a Plan of Actions and Milestones (POA&M) to address NIST SP 800-171 compliance shortcomings

CMMC will change routines.

Know what’s ahead.

CMMC differs from its predecessor along several vectors that up the ante for suppliers as it:

  • Incorporates the security controls of NIST 800-171 and adds practices from other standards like ISO 27001
  • Adds a process component meant to ensure continuous cybersecurity maturity
  • Replaces self-attestation with a certification audit conducted by an approved third-party assessor
  • Eliminates the air-cover provided by prime contractors because suppliers must get their own certifications

CMMC launched in early 2019. Suppliers will see it in select Requests for Information and Requests for Proposals beginning in 2020, and the program will be fully phased in by 2026. Over that period, suppliers will have to account for both the current DFARS 252.204-7012 clause and CMMC.

The time to prepare is now. DoD suppliers that wait may find themselves at a significant competitive disadvantage.

How Exostar can help

Whether completing a NIST 171 self-assessment or preparing for a CMMC audit, suppliers can benefit through risk-management solutions that:

  • Offer explanations of security controls, practices, and processes, as well as assistance determining where the supplier stands relative to each
  • Allow for the creation of new policies and evaluations of existing policies that meet NIST 171 and CMMC requirements
  • Enable compliant collaboration and information sharing between suppliers and prime contractors

Take action now. Get ahead of the curve for future business with government prime contractors.

Be prepared. Get the right tools:

Certification Assistant

Partner Information Manager (PIM)

Exostar PolicyPro

ForumPass Defense

How NIST SP 800-171 Affects Suppliers

Meeting the requirements of DFARS 252.204-7012 hasn’t presented a particularly heavy lift to suppliers for two reasons:

  • The burden has fallen to prime contractors to confirm compliance for their entire supply bases
  • The clause only calls for self-assessment and self-attestation, leaving ample room for interpretation and minimal external oversight

Change Is Coming

As a result of these circumstances, suppliers will feel the impacts of a pair of DoD initiatives:

  • More frequent and thorough audits of prime contractors against 252.204-7012 requirements. Because of the flow-down provision in the clause that makes prime contractors responsible for the compliance of all of their suppliers, expect primes to be more diligent in their NIST SP 800-171 oversight of suppliers.
  • The transition from the current requirements to a new program, called the Cybersecurity Maturity Model Certification (CMMC), which mandates that every company – no matter how far down the supply chain – that does business with the DoD gets a certification.