Defense contractors across the U.S., including those in and around the District of Columbia, are facing new and more stringent information security regulations that require companies to pass additional hurdles before engaging in contract work with the Department of Defense and its ancillary agencies.
These regulations, some of which may begin appearing in RFPs as early as this spring, trace their roots back to early 2020 when the DoD, in partnership with Carnegie Mellon and John Hopkins, formed what is known today as the Cybersecurity Maturity Model Certification (CMMC) program, governed by the Cyber Accreditation Body (Cyber AB). The program requires all Defense prime and subcontractors who access, store and/or transmit Controlled Unclassified Information to implement a specified level of cybersecurity.
The upcoming contract requirement known as the DFARS 7021 clause adds a “trust but verify component” to existing federal contract data protection identified under DFARS 252.204-7012, Safeguarding Covered Defense Information & Cyber Incident Reporting. Prior to CMMC’s release, defense contractors were able to self-attest that the businesses were abiding by established contract security standard.
All that is changing now.
While these regulations will undoubtedly mean additional time and effort for defense contractors, they are essential to ensure that sensitive information is kept secure. With more than 500 government contractors in the Hampton Roads, Virginia, area alone, preparing for these new requirements is of utmost importance. Those who do so most efficiently and effectively are likely to come out on top in the highly competitive government contracting landscape.
To prepare for the new regulations, organizations should take proactive action to determine their gaps, prioritize resource allocation to address those gaps, and continually adjust to the moving target of cybersecurity compliance across the DoD contracting landscape.
Here are a few key steps for accomplishing those objectives:
- Review any existing (if applicable) or upcoming contracts to identify security requirements/DFARS clauses.
- Identify whether the business handles only FCI or more sensitive CUI (Controlled Unclassified Information). As a reference, a company’s contracting officer should be able to assist in determining this.
- Review NIST 800-171 controls in preparation for performing a security controls analysis.
- Ensure there is an established company-wide cybersecurity training program, to include initial and ongoing cybersecurity awareness and education. Continuous cyber training will empower and enable company personnel to identify threats and mitigate their business impact.
- Consider obtaining outside resources, either over the short-term or long-term, to supplement in-house resources to help identify gaps in the organization’s readiness posture, assist with drafting operational security policies, and to help position the organization for continued CMMC compliance.