Are you aware of the mandatory cybersecurity DFARS compliance deadline of December 31, 2017? (See Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”)
As of December 31, 2017, all DoD contractors (including small businesses) must meet minimum cybersecurity requirements or risk losing DoD business. Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant.
In addition, a new cybersecurity standard was published in 2020, Cybersecurity Maturity Model Certification (CMMC). Depending on the federal contract under which you are working, you may need to meet NIST 800‑171 or CMMC.
NIST Special Publication 800-171
NIST Special Publication 800-171 covers the protection of “Controlled Unclassified Information” (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.")
NIST 800‑171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information.
Learn more about NIST SP 800-171 by downloading the white paper, "What You Should Know About NIST 800-171 & CMMC."
Who Needs to Comply
With cybersecurity a focal point for the DoD and all major industries, safeguarding manufacturing supply chains is becoming more important than ever.
Does your company conduct business directly, or indirectly as a tiered supplier, with the US federal government or DoD?
Due to increased concerns about cyberattacks, any manufacturer, either an OEM or tiered supplier, contractually doing business with the DoD, General Services Administration (GSA), or NASA must be compliant with defined cybersecurity requirements as of December 31, 2017.
Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant.
Companies that are currently working on a contract for the DoD, regardless of tier, need to be aware of the NIST compliance called out in the clauses of your contract.
If you're a manufacturer, you need to make sure you are compliant with your federal government contract.
The standards are outlined in a publication from the National Institute of Standards and Technology (NIST). (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.") The standards fall into 14 areas with specific security requirements that must be implemented.
The categories include:
- Access control
- Awareness & training
- Audit & accountability
- Configuration management
- Identification & authentication
- Incident response
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System & communications protection
- System & information integrity
Ramifications for Non-compliance
What does this mean for you as a DoD contractor?
If a contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.
Don't risk loss of business. There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think. Learn more in "3 Myths About NIST 800-171 and NIST Compliance."
Manufacturers need to prepare for the NIST 800-171 mandate, and you may be wondering exactly what you need to do to meet federal government cybersecurity requirements.
How to Achieve Compliance
To increase the cybersecurity posture of companies operating in government supply chains, a new certification has been created, Cybersecurity Maturity Model Certification (CMMC).
The Department of Defense is transitioning from NIST 800-171 to the CMMC framework to increase the security posture of the Defense Industrial Base (DIB).
With the CMMC framework, you may need to undergo a CMMC assessment by an outside party or you may be able to self-attest to CMMC compliance. It depends on the level of CMMC to which you need to meet and the type of information you are handling in performance of a contract.
- Protecting unclassified information that still needs safeguarding
- All manufacturers contractually doing business with the US government as a prime contractor or as a sub for a prime contractor
- Loss of business for non-compliance, removal from approved DoD vendor list
Corserva has been performing NIST assessments for companies who need to comply with NIST 800-171 since 2015.
Corserva can advise companies in their preparation for a CMMC assessment by a C3PAO, which is the only entity authorized to perform assessments.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.
As an RPO, Corserva is authorized by the CMMC Accreditation Body (CMMC-AB) to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).
Learn more about our NIST assessments and CMMC readiness services.