Don’t risk losing contract renewals, options years, or the ability to secure future contracts because of non-compliance. There are no shortcuts or quick fixes but hard work with a trusted partner. Withum can help provide NIST gap assessments and build required documentation which is your opportunity to tell your story and assist with your path to compliance.
What is DFARS 7012, NIST 800-171 Security Requirements and CMMC?
- DFARS 252.204.7012 includes a set of requirements for contractors to implement technical and procedural controls as specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to protect sensitive information and to report cyber incidents rapidly.
- NIST 800-171 is theauthoritative source for security requirementsfor organizations that must securely processControlled Unclassified Information (CUI) consisting of110security controls and 320 assessment objectives.
- Cybersecurity Maturity Model Certification (CMMC) 2.0 was released in November of 2021 as the next stage in the Department of Defense's (DoD) efforts to secure the Defense Industrial Base (DIB) and its supply chain. This requires a Third-Party Certification of Compliance with DFARS 7012.
Contact Us
For more information or to discuss your business needs, please connect with a member of our team.
Don’t Wait to be NIST 800-171 Compliant
Waiting for CMMC to be finalized is a compliance “trap”. Organizations on average take approximately 12 to 15 months to be prepared for a CMMC or third-party assessment. Organizations should prepare for CMMC now. With the CMMC ruling coming into view, the last thing organizations want is to be scrambling, tying up loose ends and/or fixing noncompliance issues. The delay could mean a loss of revenue for your business.
If your organization sells products or services to the U.S. government, you are required to comply with the minimum cybersecurity standards set by FAR 52.204.21.
If your company produces products or services used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS.
Requires government contractors to follow 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI). These requirements are sometimes called the “FAR 15”.
Addresses requirements for safeguarding CDI controls in government contractor systems, which include CDI and CUI. Clause 252.204-7012 addresses the expansion of safeguards to include cyber incident reporting requirements.
Requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps.
Since late 2017, government contractors have been inaccurately self-attesting to NIST 800-171 compliance, which has resulted in serious cybersecurity deficiencies, security breaches, and exfiltration of sensitive data from the Defense Industrial Base (DIB
As a result, additional DFARS clauses have been moving forward for all future DoD solicitations and contracts, task orders, or delivery orders.
Requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS).
Requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA); requires contractors roll requirements down to subcontractors.
Cybersecurity Maturity Model Certification (CMMC) is a pending requirement under a soon to be released rule. Requires a certified third party to conduct an extensive assessment to validate an organization has implemented the requirements under DFARS 7012.
How We Can Help
The assessment process is an information-gathering and evidence-producing activity to determine the effectiveness of the safeguards intended to meet the set of security requirements specified in NIST Special Publication 800-171.
- Where is your CUI? What are your CUI requirements and where does it flow within your organization and to whom? This represents what is within scope.
- Security and Risk Assessments - This provides the risks related to CUI and determines your current alignment, gaps, and non-alignment for each control/practice and each assessment objective.
- Plan of Actions and Milestones (POA&M) POA&M contains your organization's corrective action plans for your cybersecurity program. This is your “to-do” list managed across your organization.
- System Security Plan (SSP) – SSP is your story on how you’re meeting security requirements as NIST calls for “evidence” of compliance. An “artifact” required by the NIST SP 800-171 & Cybersecurity Maturity Model Certification (CMMC) and a critical document.
Why Partner With Withum for NIST Consulting
Withum’s Cyber and Information Security team have well over 20 years of combined experience providing NIST 800-171 compliance support services to clients. We’re well-equipped to help organizations meet Defense Acquisition Regulations (DFARS) by implementing NIST 800-171 security requirements. Withum’s personnel participate as part of the CMMC Industry Standards Council and have qualified CMMC Certified Provisional Assessors and Instructors.
Why spend all this time and effort to “think” you’re going to be able to pass your NIST assessment? Substantial evidence is required to support your SPRS score. Choose an experienced partner who will come alongside your team.
Don’t be left unprepared — start planning for NIST 800-171 (and CMMC) today – reach out to us for a complimentary consultation with a NIST 800-171 compliance consultant.