there are no posts to show...

Helpful Resources


Yesterday, Richard Wakeman, Senior Director – Aerospace and Defense at Microsoft, provided a terrific update to his 2019 blog post, Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings, providing a lot of additional detail, and answering many of the questions we at CyberSheath come across on the regular from our Defense Industrial Base (DIB) customers. Today, I’d like to cover the three most interesting and impactful assertions from the article and discuss what the changes and clarifications mean for current and future customers of Microsoft’s cloud services who have defense regulatory requirements. But let’s start with the compliance matrices:





As you can see when looking between the year 2019 and 2021 of these compliance matrices, a lot of the ambiguity in the 2019 version is removed. There are no longer “Maybes” or fine print in the cells of the table, and there is an overlay highlighting the importance of data sovereignty – more on that in a minute. You can also see the introduction of CMMC Maturity Levels and the more frequently referenced term of Federal Contract Information (FCI). Let’s talk more about these three interesting bits of information.


Microsoft 365 Government Community Cloud (GCC) High

Observation 1: Still suggested (but…is it required?)

GCC High – A common buzz word in the world of DFARS 7012 and CMMC. There’s been a lot of speculation as to whether or not Microsoft 365 services on GCC High are required if you are doing defense work, and I think Microsoft’s update makes the answer much clearer. The short answer is still maybe, as it was in 2019, but the information provided is much more prescriptive in leading DIB contractors to ask the right questions about the data they are protecting.

  • Do you have the DFARS 7012 Clause in any of your Defense-related contracts?
  • Do you have Controlled Unclassified Information (CUI)?
  • Do you have Federal Contract Information (FCI)?
  • And, with added emphasis, do you have ITAR/EAR data?

This is a simplification of the thought process, and for the sake of keeping this somewhat short, I’m avoiding the thoughtfulness and consideration that should happen around where these data sets exist, how they are stored, received, shared, but depending on how these questions are answered, it becomes clear as to which Microsoft 365 services you should be using or considering. The trouble though is, are you, as a contractor, looking through the right compliance lens? There are vendors, solutions and service providers out there that attempt to solve for a control or set of controls, attempt to deliver compliance for a particular standard (NIST 800-171, CMMC), but the fact of the matter is, all the other questions must be considered to select the right product for your business.

Much of the CyberSheath team has been born and raised in the Defense Industrial Base – we understand the challenges with interpreting these requirements and the importance of all of them, which is why I was happy to see Microsoft’s emphasis on Data Sovereignty and ITAR/EAR in their update. And, like Mr. Wakeman alluded to, security and compliance practitioners are not (usually) legal counsel, but as CyberSheath’s business is focused on delivering security and compliance for the Defense Industrial Base, we have been having these discussions with our customers for years, helping them navigate the decision-making process around their data protection requirements.

If you only receive well-defined non-ITAR/EAR CUI through a secure file transfer portal, and you keep that data on on-prem file services, do you need GCC, or GCC High? Probably not. On the other hand, if you are exchanging ITAR/EAR via cloud email services, collaborating with Defense customers on Microsoft 365 – Teams, SharePoint, OneDrive – You’re going to want to strongly consider GCC High because of the US sovereignty for all the supporting Azure infrastructure and services to meet your ITAR/EAR requirements.


Microsoft 365 GCC (Not High)

Observation 2: Now with Flow Downs!

“If I can’t flow down the DFARS 7012 requirement to Microsoft, how can I ensure that I can comply with sub-paragraphs (c)-(g) on incident reporting?” This was a deal breaker for many of those considering GCC vs. GCC High for quite some time, but it appears that Microsoft is now accepting flow down of the DFARS 7012 clause for GCC proper with the publishing of this compliance update.

This means that, if it’s important for you as a DIB contractor to contractually obligate Microsoft to meet the DFARS 7012 clause, including those pesky incident reporting requirements, you can now do so, Microsoft will accept that contractual obligation, and you will remain compliant with sub-paragraphs (c)-(g), which is just as important if not more so.

But again, as I mentioned above, please ensure that GCC is the right set of services for your circumstances. If you intend to store or transmit ITAR/EAR data with Microsoft 365, it’s likely best to keep the data in the US to meet your regulatory obligations. If you don’t plan to comingle your sensitive data with Microsoft 365, it would be prudent to have the administrative and/or technical means to manage incidents for if and when these types of regulated data end up on services that are not authorized to store-process-transmit those data types. Your accreditation boundaries in your System Security Plan should be pretty clear on this.


Microsoft 365 Commercial

Observation 3: Acceptable for Federal Contract Information!

Federal Contract Information (FCI) has a wider industry footprint than it’s CUI/CDI/ITAR cousins and has a much smaller set of protection requirements.

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

My interpretation of this is, if you have information provided by or generated for the government in your work, and it’s not marked or identified as being publicly releasable, it’s safe to assume you have FCI.

With that said, if you are confident that you don’t have the more sensitive subsets of FCI that I mentioned earlier – No DFARS 7012 Clause, No ITAR/EAR requirements – but you still do business with the DoD, the security controls of Microsoft 365 commercial should be adequate to meet the 15 basic protection requirements listed in FAR 52.204-21 for FCI. This is now clearly illustrated in Microsoft’s compliance update.


In Conclusion

Moving to Microsoft 365, GCC, GCC High is not inexpensive or without effort. Many of CyberSheath’s customers are taking an approach to minimize the use of these services by establishing enclaves of GCC or GCC High services, accessible only to users who need to work on sensitive data sets – sometimes even establishing these enclaves as an insurance policy for if and when they need to work on CUI or ITAR controlled information. These are viable options for those in the DIB where defense work is only a small fraction of their business, and CUI can easily be identified and controlled. Alternatively, some customers are establishing controls to keep CUI away from their cloud services and owning the compliance burden with on-premises resources and services. Both can be done.

The fact of the matter is the industry is operating under overlapping regulatory guidelines, some of which are interim guidelines, many of which are unfolding before us. It’s great to see Microsoft’s stance on this moving target and providing substantial and informative guidance to assist in decision making related to their services.

Check out the complete 2021 compliance update from Microsoft, here.


CyberSheath is a Microsoft CSP, Microsoft Silver Partner and Microsoft Intelligent Security Association (MISA) member and CMMC AB Registered Provider Organization. Our team has been working with the DoD on DFARS related issues since 2008, initially as a part of the Defense Industrial Base Cyber Security Initiative (DIBCSI).

With hundreds of NIST SP 800-171 assessments and implementations successfully performed for DoD contractors, we can help you cut through the confusion and deliver measurable, ongoing compliance as the Cybersecurity Maturity Model Certification (CMMC) is implemented.  For more information, contact a CyberSheath expert today.



The US government, through the lead agency, the Department of Defense (DoD) is implementing a new Cybersecurity Maturity Model Certification (CMMC) requirement for all private-sector businesses that work with the DoD, and now we understand that the standard will be integrated into the GSA and DHS agencies too.  However, the standard isn’t exclusive to the US government, and is largely being rolled out through a private-public partnership and can be extended to any company, country, independent of the requirements to use the standard for specific US agencies.

In addition to these agencies, on May 15, 2019, then President Trump issued Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.

The E.O. sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.

These new research efforts and the new CMMC requirements will directly affect the roughly 350,000 businesses that are part of the DoD supply chain and now 11 million businesses as part of the GSA and likely spread throughout the entire US government. This new standard’s ripple effect is expected to be even larger, potentially replacing almost all other broadly recognized cybersecurity standards.

The CMMC is a set of security controls being developed under the DoD’s guidance in coordination with industry and academia, building on previous standards including NIST 800-171, 800-53, CSF, ISO 27002, CIS v7, Secure Controls Framework, and others.

Five Reasons ISO 27001/27002 Will Not Last Against CMMC Dominance

Reason One: CMMC is required for contracts with the US government and, the CMMC standard is US law/regulation (e.g. compulsory requirement for covered entities).

  1. By law, all DoD suppliers must comply with CMMC and increasingly most GSA and DHS suppliers as of this article’s writing.  This is a sweeping change. It doesn’t matter if you handle classified information or Controlled Unclassified Information (CUI).  If you work with the DoD, supply a DoD prime contractor, or are a supplier to a DoD sub-contractor, this applies to you.
  2. The federal government is the single largest buyer globally, with annual spending on goods and services close to $450 billion a year. In addition, as estimated US military spending is $934 billion and the Department of Homeland Security (DHS) is $60 billion.   Said simply, most of this nearly $1.5 trillion spending will require oversight or CMMC certification by Oct 1st, 2025.    How does this compare?  There is no other cybersecurity standard globally, which requires certification before their resident business can earn revenue. In other words, CMMC is a VERY different standard in that it directly impacts the underlying revenue of a company.

Reason Two: CMMC is a standard above all standards.

This new standard, driven by the US government’s regulatory might, is likely to become the de facto cybersecurity framework for all businesses—regardless of whether they work with the DoD.  The resulting simplification in approach and achievement supply-chain risk will render nearly all other cybersecurity benchmark standards obsolete.

Organizations choose to comply with an information security standard for only one reason: it makes good business sense. Sometimes there are external drivers, such as a key client’s demand, and sometimes the driver is internal, such as a clearly articulated enterprise risk management program.

However, organizations loathe complying with more than one security standard as inefficient and unnecessary.

Some of the factors that go into picking a standard to adopt include:

  • Comprehensive. Ability to be applied across a large swath of business types, sizes, geographies, and needs.
  • Legal & Reputable. National standards (like NIST) and international (like ISO) organizations have strong reputations and are well-recognized. Virtually all reputable standards address the same topics in their unique way. All businesses do the mapping of one standard to another, so a company that worked on becoming ISO 27001 compliant can explain how it is also NIST 800-53 compliant.
  • Applicable. For instance, PCI is relevant to organizations handling payment-card information, and HIPAA is relevant to US Healthcare organizations.  The NIST 800-171 is intended for organizations doing business with the US DoD.
  • Cost-effective. The organization must be able to achieve and maintain compliance without wrecking the business.

The CMMC ticks all these boxes for about +/- 350,000 DoD companies and a growing list of companies outside of those directly in coverage. Since the CMMC is based on the best of all the current reputable standards, there is no particular need to show how it maps back to them; for most of these companies, there is no compelling business reason to comply with any other standard. Because companies must be certified by an impartial, external third party, the CMMC also provides a much stronger assurance to non-DoD business partners than unsubstantiated claims of being compliant with any other standard. The cost of gaining and retaining compliance is minimal to ensure that the supply chain is secured rather than disrupted.

Also, as organizations earn certification, their CMMC level will drive out other claims about cybersecurity. The CMMC level will also simplify the interactions between businesses regarding how information is protected. Currently, mature organizations include some level of cyber due diligence in their contracting processes. With this new standard, instead of subjecting business partners to long questionnaires about their internal cybersecurity, even non-DoD organizations will only have to ask each other a straightforward question: What is your CMMC level?

Reason Three: Programmatically, CMMC auditors are better than any other auditors in the security space.

Auditors must endure and certify both knowledge, competency, ethics, and security background checks and have the quality of their reviews checked and evaluated.  Until now, only the PCI-Standard, the ISO 27001/27002, and HITRUST frameworks offered the option to be certified by a third party. Organizations could say they were compliant, satisfying most who had an interest in security but glossing over that they were not certified. CMMC will require certification by a third party. However, these auditors are very different than ISO in that ethical guidelines bind them, security background checks, knowledge qualification reviews, and qualification checks. The PCI standard is similar in this approach; however, PCI is self-governance from industry versus a legal requirement for all gaining certification.  Moreover, CMMC will police the marketing, attestations, and behavior of those participating in a way that should vet frequent offenders.

Reason Four: CMMC is revenue-focused, not policing-focused.

Up until now, NO cybersecurity standard stood in front of a contract et large.  CMMC is the only standard in which you may not move forward for fulfillment if you do not certify to the level called for by the desirable contract award.  Said another way, you must FIRST become certified not claim ignorance and deny knowledge of one’s responsibility when faced with a policing action afterward.

Reason Five: Most companies will need to be CMMC certified; ISO offers nothing more comprehensive.

Review these considerations below:

Say Hello to CMMC and Goodbye to ISO 27001

Overall, the CMMC process only became law in September 2020 and set in motion a five-year transition plan. It’s hard to determine the full impact of this new compliance approach now; however, CMMC will be the de facto standard to build around for a generation or two at the least.  Also, the DoD is willing and able to enforce these standards as 2021 has ushered in a whole new class of contract award refusals and business-process changes built around cybersecurity compliance certifications.

It also means that DoD contractors should start taking proactive steps to strengthen their security measures and consider migrating from old standards such as ISO 27001/27002 to CMMC. Consider the maturity level you’ll need to earn to continue to justify your security program’s performance (or your DoD contracts) or make the types of contracts you want to hold in the future.

NIST and CMMC will work hand in hand to make for a safer and more structurally sound data security landscape and supply chain and in its place will be a legion of old standards whose usefulness has sunsetted.

CyberSheath is excited to announce the availability of a new service offering specifically designed for Defense Contractors required to ensure compliance from their managed IT providers. This new Managed IT Services for Defense Contractors future-proofs your environment to changes in regulatory scope, interpretation and / or increased scrutiny of your compliance to DoD contracting in the long-term. It is clear that the US Government is becoming less patient with lapses in the Defense Industrial Base (DIB) regulatory compliance of IT management and, paradoxically, cyberthreats are increasing at the same time. Legacy IT delivery models are failing every day as the lines between IT and security have permanently blurred as to who is accountable for specific requirements.

With big picture strategic challenges like avoiding nation-state cyber-attacks and industrial espionage sorting out roles and responsibilities between IT and security is the last thing defense contractors need to worry about. 

CyberSheath has long recognized that a large part of IT delivery, things like patching and asset management, are foundational to NIST 800-171 and CMMC compliance, which is why we are offering a force-multiplying solution for Managed IT services. This offering is only available to defense contractors and uniquely built to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.

What is the DIB Managed Service Provider Compliance Problem?

Defense contractors have a special responsibility to the DoD in ensuring supply chain integrity and trustworthiness and as a result must adhere to cybersecurity requirements outlined across variety of Federal Regulations including:

FAR: 52.204.21 (calls for 15 cybersecurity controls inclusive of specific verbatim pass through / down verbiage to subcontractors and service providers handling Federal Contracting Information (FCI)-Type data)

DFARS: 252.204-7012 (calls for 110 cybersecurity controls inclusive of specific verbatim l pass through / down verbiage to subcontractors and service providers handling Controlled Unclassified Information (CUI)-type data)

DFARS: 252.204-7019-21 directs the DIB to the newly created CMMC Advisory Board for guidance on third-party-providers (TPPs). For refence, the latest guidance from the CMMC AB is as follows:

OSC’s who use cloud services must meet requirements that differ from C3PAO’s.

 1) Companies under the current DFARS 7012 using cloud services or products that receive, transmit, store, and secure CUI on or behalf of the contractor must meet requirements as described in the DoD Procurement Toolbox, Cybersecurity FAQ (Below in part in comments). Remember-The DoD prime/subcontractor is responsible to ensure that the CSP meets the requirements at 252.204-7012 (b)(2)(ii)(D). 

2) Organizations Seeking Certification (OSC) for CMMC L3 using external service providers/cloud services involving CUI must apply the DOD FAQ and consider the impact/evidence required for inherited practice or process objectives as discussed in the v1.10 CMMC L3 Assessment Guide, “A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective.” See for official policy/guidance. 

Introducing CyberSheath’s New Managed IT for Defense Contractor Service!

CyberSheath’s Managed IT Services for Defense Contractors delivers world-class IT service delivery, integrated with cybersecurity and enabling the documented evidence required to successfully pass a compliance audit or prove certifiable to the next government RFP / RFI. Andy Shooman, CyberSheath’s COO opines, “We’ve been future proofing our customers from policy and technology changes related to CMMC since our managed services debuted in 2015 and our managed IT services eliminates the finger pointing between IT and security giving our customers one vendor to hold accountable. The fact is 60% or more of cyber security requirements touch IT in some way and that has to be accounted for Part of an overall compliance posture.”

Our Managed IT Services for Defense Contractors solution transforms the disconnected IT and security functions into a compliant, integrated, and auditable. 

Base Service Offering: Manage the following in a compliant cost-effective manner for a US Defense Contractor:

    • Endpoint Management/Support Remote Access via VPN
    • Email
    • Identity & Access Management
    • Firewall & Network Management
    • Operating System and Network Device Patch Management
    • Infrastructure Configuration Management

Provide 24/7/365 Support for the following:

    • Support Ticket Management
    • Help Desk / Problem Resolution
    • End User Support Requests
    • Change Management
    • Asset/Configuration Management
    • System Availability / Outages

 Our Premium Service, in addition to the services above, is to manage the following in a compliant manner for a US Defense Contractor:

    • VOIP Telephony
    • Data Storage
    • System Backups
    • O/M365 Office Suite (beyond Mail)

Benefits of the Managed IT Service for Defense Contractors include the following:

It is easy to deploy and maintain (fully outsourced) and You are COMPLIANT!  

  • With CyberSheath’s Assured Compliance Commitment. We commit to having our infrastructure and managed IT services continuously assessed and certified as compliant with DFARS.
  • It is comprehensive technology, security, and governance to DFARS:
    • The Managed IT for Defense Contractors is a solution that is designed from the ground up to comply with DFARS cybersecurity requirements holistically.   
  • End-to-end deployment. 
    • You can combine this service with a world class MSSP / SECURITY!! Leveraging CyberSheath’s 24x7x365 Security Operations Center means someone is always watching the client’s network – freeing up resources so they can get on with other important business. Its Effective Risk Management Traditional information security / antivirus solutions will not stop polymorphic and zero-day threats. We also understand that providing defenses against nation-state’s unique offensive capabilities requires strong security programs. CyberSheath deploys best of breed, compliance technology baselines, SIEM, Phishing Defense, cloud workload protections, threat and endpoint detection and response (EDR), continuous monitoring and cyber threat intelligence (CTI) solutions coupled with our experts in threat analysis and intelligence (i.e., you) that deliver actionable information to mitigate risks to a client’s organization.
    • We adjust to the changing threats automatically! Through robust managed Compliance we can adjust to a very robust compliance landscape and allow for your program to rest-assured that the proper descriptions, documentations, and adjustments are made as to quickly identify potential threats. We combine the best of human and known toolsets to keep a client’s organization up to date with compliance.
  • There are easy procurement options.  
    • Customize Solutions – Although we have preconceived compliance levels, we know every customer is different. So, in the end, our solutions are Tailored to Every Client’s Needs! We know deeply that different organizations require different levels of security. CyberSheath has packaged offerings, allowing you to easily ramp up your security for greater protection, without having to deal with multiple vendors or security resellers.  
    • Flexibility – We have been on the ground floor of NIST/DFARS/CMMC for 12 years shaping, interpreting, and implementing DoD policy and requirements in a way that meets our customers where they are and keeps them in the game. There is no one size fits all and ridged implementation and interpretation will cripple your business with excessive cost and best guess interpretations as to what the DoD is looking for.

 Why CyberSheath as a Managed IT Services Organization?

CyberSheath has over 8 years of providing information security services for our clients. 

Moreover, CyberShealth’s personnel all have military or defense contracting (or both) as their heritage. Threats are global, ever changing, and require a specialized skillset to truly protect organizations. Our managed services staff include experts with previous impressive roles at global defense contracting, managed security services organizations, security software and hardware manufacturers, Military Cyber Operations experience and have multiple security and technical certifications including CISSP.

  • Hundreds of successful NIST 800-171 / DFARS 252.204-7012 engagements over the last 8 years
  • CyberSheath was founded to deliver this solution and “born” out of a Fortune 500 defense contractors experience influencing and implementing evolving DoD cybersecurity policy and requirements.
  • “Skin in the game” – We have been through DoD audits, many, with DoD components validating our approach and the work we do. We will be onsite with your team throughout assessment, remediation, managed services, and your eventual audit.

If you are looking for DFARS compliant Managed IT Services we look forward to providing you a single point of accountability for not only providing the requisite controls, but also for implementing across your IT infrastructure, true one stop shopping.

The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The Rush to Submit to SPRS

SPRS submission is being enforced and contractors are being told “no submission, no contract.” In just these first few weeks of 2021 CyberSheath has taken on several customers with incredibly short timelines on SPRS submission either because they didn’t believe that the requirement would be enforced or did not know it existed. The result has been a mad scramble of resources (both on their side and ours) to ensure that DoD revenue was not denied due to failure to conduct, score and submit the required NIST 800-171 gap assessment and related details. These contact us submissions are coming in regularly and with varying degrees of urgency, but the common thread is that “our contracting officer is refusing to take action without an SPRS submission.” 

For the remaining thousands upon thousands of defense contractors who have yet to move positively towards SPRS submission, NIST 800-171 compliance or CMMC at any level, rest assured it will be more cost-effective and sustainable to get started now. Having a contract award delayed because of SPRS assessment scoring submission is entirely avoidable. Correctly addressing compliance, with the endgame of CMMC in mind, rather than a one-off SPRS contracting hurdle, proves to be the better business decision. 

Even before the SPRS requirement, Cybersecurity Maturity Model Certification (CMMC) loomed large for defense contractors. In fact, when we recently surveyed more than 200 senior executives, our results revealed that 82% of contractors believed they had Controlled Unclassified Information (CUI), necessitating CMMC Maturity Level 3. Contrasting the requirement to be CMMC ML3 with what we have found to be an average score of -115, on the scale that ranges from -203 to 110 for SPRS scoring, and you can see that what executives believe to be true is in no way aligned with how they are resourcing the problem. CyberSheath will be opening the vault on our data across the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks at our free webinar on February 3, 2021, but said succinctly; the DIB is failing at cybersecurity.

So, How Can You Meet Both Short-term (SPRS) and Long-term (CMMC) Objectives?

Recognize that despite all of the potentially confusing acronyms and jargon, the requirements in 2020, and the steps to long-term compliance, are very much the same as they have been since 2015. 

Everything is grounded in compliance with NIST 800-171 as an initial step. 

  • Compliance with DFARS 252.204-7012 mandates NIST 800-171 compliance. 
  • Your SPRS submission is based on compliance with NIST 800-171.
  • CMMC at its foundation is based on NIST 800-171.

All journeys to near- and long-term compliance start with NIST 800-171 and everything else, as of this writing, is a distraction. Start with NIST 800-171, and you will end up at CMMC ML3 if you follow our proven path to success, which includes these five steps:

5 Steps to CMMC ML3 Compliance

1. Assess current operations for compliance with NIST 800-171. Requirement 3.12.1 of NIST 800-171 mandates that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.” The assessment should cover all 14 families and 110 security requirements. It can be an internally led effort or executed by a third party and you can kill two birds with one stone by using this opportunity to do your required SPRS scoring as well. 

2. Write a System Security Plan (SSP).

Requirement 3.12.4 (System Security Plan, added by NIST 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Your SSP is likely the first thing you will be asked for in an audit. It should accurately reflect your actual implementation of the controls. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.

3. Document Plans of Action & Milestones (POAMs).

Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. It’s likely that a number of the 110 security requirements will not be fully implemented in your environment. This should be exposed during your assessment and POAMs should be documented, ideally during the assessment.

4. Implement the required controls.

Execute your POAM’s and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and if you are using only internal resources remember they all already have day jobs, so set your expectations accordingly. If you work with a third party to implement the controls look for the following expertise:

  • Have they implemented the NIST 800-171 controls for similar sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab and engineering environments?

Ask for and check references. Implementation can be complex in manufacturing, lab and engineering environments and your SSP should reflect these complexities.

5. Maintain Compliance

Document and implement a plan to leverage internal or external resources to maintain compliance. Compliance has a long operations and maintenance tail and should be a repeatable outcome of daily operations, not an annual fire drill. Key questions to answer include:

  • How will you detect, respond and report incidents within the required 72-hour reporting period? 
  • What is your plan to manage your subcontractors and suppliers to meet your compliance requirements?
  • How will you update SSP’s and POAM’s as your business and IT infrastructure changes?

Maintaining compliance is an often-overlooked aspect of achieving compliance. With the significantly evolving regulatory landscape counting on a vendor who can help navigate these landmines is critical. Don’t make the expensive mistake of ignoring the ongoing need to demonstrate compliance and automate and document your efforts for sustained success.

Kickstart Your Compliance Efforts

Don’t forget, we will be opening the vault on our data across the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks at our free webinar on February 3, 2021.

How Secure is the DIB Supply Chain?

Scrutiny of defense industrial base (DIB) cybersecurity has never been higher. The costs and impacts of security lapses are on full display in the wake of the SolarWinds breach, as federal agencies continue to investigate the full scale of the intrusion, likely the work of Russia.

Even before recent events, Cybersecurity Maturity Model Certification (CMMC) loomed large among the DIB. We took a snapshot this fall of where DoD contractors stand, surveying more than 200 senior executives to find out what work still needs to be done, the risks and challenges they face, and how to ensure long-term security and compliance.

The results reveal new opportunities, including mitigation and investment strategies, and highlight some of the biggest remaining unknowns that the DIB must quickly address.

This report is designed to help the DIB, the US DoD, and the general security community better understand the level of compliance, the acceptance of new rules, the level of understanding of the cyberattack threat landscape, and current levels of preparedness and business impacts.

Once you learn what DoD suppliers are thinking, find out what they’ve been doing for the past five years. We’re opening the vault on data from the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks to help contractors better navigate the road to CMMC compliance. Join our free webinar on February 3, 2021 for all the findings.


Among the key findings of the Fall 2020 executive survey:


Finding 1: 21% of DIB companies surveyed have experienced a cybersecurity incident

 A little over one-fifth of DIB companies indicated that they have been a victim of a cyberattack, highlighting the risk that CMMC aims to curb. But as the demand for security professionals outpaces supply, executives are increasingly looking to public cloud and key DIB partners to assist in managing security.

Public cloud infrastructure offers some of the best bets, and allows DIB companies to compete effectively in today’s digital world and stay secure. Moreover, as cyberattacks become more rampant, DIB C-Suite professionals are looking for active management and continuous monitoring of all infrastructures.


Finding 2: 82% of DIB contractors are handling CUI, a Critical Element in DFARS Compliance (CMMC / NIST 800-171)

Of DIB companies surveyed, 82% understand that they process Controlled Unclassified Information (CUI) as first defined by a ruleset under the Obama administration. As a result, they inherit the most onerous requirements of CMMC and NIST 800-171 security standards, which are critical to ensuring future DoD revenue.

Executives are concerned about the impact security threats can have on business performance, pointing to the potential loss of customers, brand reputation, and operational productivity. Many report adjusting budget priorities to better secure networks and prevent attacks.

The impacts of attacks on DIB corporate networks can vary depending on the industry in which companies compete. Manufacturers that have long embraced automation to boost production efficiencies now plan to integrate artificial intelligence in security measures with a corresponding shift in their IT budgets.

Events that most influence how executives view their companies’ security vulnerabilities include high-profile data breaches and nation-state attacks on peer companies, cyber-attacks on their organizations, and government regulations.


Finding 3: 93% of DIB companies are aware of CMMC

The DIB C-Suite research reveals that nearly all companies in the sector – 93% – are aware of the new CMMC rules and the important sector trends. DIB companies are attempting to educate themselves about the effects of recent rule changes on security requirements. Suppliers of all sorts need to consider documentation, adherence, and, in some cases, transformation of their security practices to protect and comply with the requirements of the new DoD rules.

Fortunately, only 13 of 201 respondents cited that they were unaware of the CMMC rules. Unfortunately, many in the DIB are ill prepared to actually implement them.


Finding 4: A third of DIB companies don’t know which CMMC level to focus on

 The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC as a requirement for contract award.

While 56% of respondents said they’re focused on Levels 1-3, with 42% focused on Level 3 alone, a large portion of respondents still don’t know which level to focus on. Some 33% of respondents said the level they would focus on is “uncertain.” That will limit their speed in adopting and certifying their compliance with the level they eventually must meet.


Finding 5:  More than half of DIB companies outsource IT and security functions

DIB C-suite executives face tough choices when deciding where to invest resources to propel their businesses forward. At least 4 in 10 respondents identify increasing infrastructure complexity, digital transformation plans, integrations of artificial intelligence, and migration to the cloud as putting pressure on security planning and budget allocation.

Executives understand that compliance to DFARS, NIST 800-171, and CMMC is paramount and to transform their businesses, they must embrace the integration of new technologies.

At the same time, they’re facing an internal skills gap. One-third of respondents report dependence on their internal IT talent, promoted from within, which can create a knowledge gap in security strategy.

The internal skills gap is not easily solved because the demand for security professionals outpaces supply. As a result, more executives report the need to look to outside security vendors for assistance.

In fact, more than 54% of executives report outsourcing both IT and IT Security to gain traction on competent and quick compliance. They’ve decidedly moved toward public and private cloud environments, and the survey data also reveals a shift of network security budgets toward technologies that employ more automation, more technology integration, and the ability to operate from a sovereign US environment on government-certified FedRAMP environments.


Finding 6: China and Russia aren’t the only risks on DIB companies’ minds

DIB C-Suite executives face tough choices when deciding where to invest resources to propel their businesses forward. As the threat of network attacks becomes a question of when, not if, chief executive officers and chief security officers must carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions.

At least 4 in 10 respondents identify these factors as putting pressure on their organizations’ security planning and investment:

  • Increasing infrastructure complexity
  • Threat from China, Russia, and Iran
  • Compliance to new regulations
  • Migration to the cloud


Finding 7: 40% of DIB companies estimate the cost of an attack at more than $1 million

Data breaches are expensive. They rack up monetary costs that directly affect companies’ bottom lines, but more troubling is the damage inflicted to intangibles such as brand reputation and customer trust.

Almost 40% of respondents estimated the hard cost of every attack to be more than 1 million USD/EUR/GBP, with cost estimates surging to more than 25 million USD/EUR/GBP for 5% of respondents. While soft costs are difficult to quantify, it is likely their impact is much higher over the long run than hard costs.

Hard and Soft Costs



About the Research

On behalf of CyberSheath, BAO surveyed 201 Executives from July to September 2020. To participate in the 2020 DIB C-Suite Compliance Security Survey, respondents were required to be a company who contracts with the US DoD and by design, the survey required at least half respondents to be C-level executives, though this year’s research attracted far more C-level corporate leaders. About 2/3rds of the companies in the survey have less than 500 employees.


Don’t forget: Sign up for our free webinar on February 3, 2021 to learn what high- and low-scoring organizations have in common, variables that negatively affect most businesses, and characteristics of companies attaining compliance. Don’t miss it!

How Secure is the DIB Supply Chain?

SolarWinds, with more than 300,000 global clients, including many federal agencies in the United States and mostly Fortune 500 companies, unknowingly released a software update that included malware providing hackers unobstructed remote access to victim networks. The magnitude of this breach requires impacted customers to conduct forensics if they have the means, immediately remove the compromised SolarWinds Orion products from their network, execute an incident response action plan and rebuild the network previously monitored by SolarWinds products. 

This level of breach is catastrophic, and impacted businesses should assume total compromise. The work to recover from this event on a meaningful size network is inconceivable for those who have not been through this before.

As a Microsoft Partner and leading provider of Managed CMMC Compliance to Defense Industrial Base (DIB) contractors, CyberSheath has fielded many inquiries related to the extensive investigation into the SolarWinds breach. As nearly every business of any size has some level of Microsoft deployed in their environment, we wanted to share several items we felt would be of interest to those with Microsoft, SolarWinds, or both currently deployed.

  • Microsoft Source Code Repository Access: Microsoft detected malicious SolarWinds applications in their environment, isolated and removed. During the investigation, Microsoft detected unusual activity with a small number of accounts, which was used to view source code repositories. The accounts could not modify code, and the affected accounts were investigated and remediated. There has been no identified risk to services or customer data due to this activity. Access the full Microsoft post SolarWinds Impact and InvestigationMicrosoft provided security tools to investigate and mitigate any known SolarWinds related malicious activity. Microsoft has published several resources that can be used in response to this attack.
  • Microsoft 365 Defender: Businesses with Microsoft Defender 365 should leverage the Indicators of Compromise (IOC’s) provided by Microsoft 365 Defender to look for vulnerabilities and potentially malicious activities related to the SolarWinds attack. 
  • Microsoft Azure Sentinel: Microsoft has published recommended content to Azure Sentinel that should be used to monitor for indicators of compromise. 

Finally, the Solorigate Resource Center, which Microsoft keeps updated with their latest information, can be found here.

Regulatory Compliance Impact on SolarWinds Incident

Aside from what businesses can and should be doing to respond to and recover from this widescale attack, one of the questions heard frequently is, “Could CMMC have prevented any of this?”. We think this is the wrong question to ask and represents “silver bullet thinking”. For example, we do not use this type of thinking in regards to vehicle seatbelts. Seatbelts are required in vehicles here in the United States despite their inability to prevent 100% of injuries, because we still recognize their overall value in injury prevention. 

The fact is had DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting been enforced and compliance verified since 2017, rather than then selectively implemented through self-certification, the SolarWinds attack might have looked very different. The clause mandates rapid reporting of cyber incidents to DoD. Specifically, the clause requires:

Cyber Requirements under NIST 800-171 Since 2017

(c) Cyber incident reporting requirement.

(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at

(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at

(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see

(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.

(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.

Benefit of NIST 800-171 Information-Sharing Mechanism

While looking at this list of reporting requirements, it is impossible to believe that the defense industrial base would not have been better served having implemented NIST 800-171 and being part of the robust information-sharing mechanisms between DoD and industry. IOC’s Would have reached a wider audience, faster and likely with greater precision. 

It is not a leap of faith to believe that our national security and the Department of Defense supply chain will be materially strengthened because of regulatory requirements like CMMC. 

How Secure is the Defense Industrial Base Supply Chain?

We invite you to an interactive review of our analysis detailing hundreds of DoD contractors’ cybersecurity posture to discover the concerning findings and best practices that lead to compliance. During this webinar, you will learn:

  • Top 3-5 failing controls; what are they, and why are they so challenging to implement?
  • Outcomes by business profile, from professional services to the manufacturing floor.
  • Top 3 characteristics of organizations who successfully achieve compliance.

How Secure is the DIB Supply Chain?

Over 14+ years working with the Department of Defense (DoD) contractor cybersecurity compliance requirements have evolved from voluntary to self-certification to now mandatory minimums validated by independent third parties via the Cybersecurity Maturity Model Certification (CMMC); the question of cost underpins almost every discussion. 

The CyberSheath team gets asked two questions every day, all day long. How much and how long? Contractors asking the question prefer a exact answer and ideally one that fits in their existing budget. The DoD and NIST have tried to provide some level of analysis around the cost impacts of cybersecurity compliance but when released these estimates are immediately questioned by industry. In our experience these government provided estimates are interesting but irrelevant to your specific situation. Applying the analysis done by the government is like trying to calculate your tax situation based on what you think your neighbors tax bill might be. It’s a waste of your time and guaranteed to be inaccurate. So how do you get a cost of compliance for NIST 800-171 and CMMC that is relevant and specific to your organization? It’s not actually that difficult, and I will share our process here and welcome you to contact us for your evaluation.

CyberSheath has been providing firm fixed price managed cybersecurity compliance for more than six years exposing us to tremendous amount of data around cost. We also understand the differences between cost of compliance in a manufacturing environment, software development organization, research and development and just about everything in between. A significant part of our customer base includes foreign owned US based defense contractors, so we understand those unique aspects as well. Our methodology is audit approved in the sense that our customers have successfully passed third party audits repeatedly.

Our Approach to Understanding the Cost of Compliance.

Don’t ask for a “ballpark”.

With the passage of the new law that went into effect on November 30, 2020, NIST 800-171 and CMMC compliance are being enforced, and it is time to get serious about actually implementing the controls. Ballparks on CMMC cost are not serious inquiries. I understand human nature and desire to “get a ballpark,” but it is a waste of your time, and it is impossible to get an actionable and accurate “ballpark”. There are simply too many variables specific to your situation that ballparks cannot account for. Cloud-based? On-premise? Windows networked domain environment? Cloud services? Hybrid Cloud? These are just some of the questions that drive cost and prevent a ballpark answer to the cost question. It is a bit like calling a personal trainer, having never met them or provided any information, and asking them how quickly you can get into shape. Don’t fret; there is a relatively painless way to understand what your cost might be. Please skip the ballpark conversation and instead put an hour or less into getting something accurate and actionable.   

Fill out a scoping document and have a conversation.

One of the things that we don’t ask potential customers is what their budget is. Candidly your budget is independent of the cost to become compliant. It’s our job to make your budget and the costs align as closely as possible. Still, ultimately, the cost of getting your specific environment compliant is a finite number independent of your actual budget. You probably didn’t account for the 110 security requirements of NIST 800-171 when you created your budget and CMMC likely wasn’t law, so your budget is not really part of the conversation. 

Your environment, the existing people, processes, and technologies you leverage to conduct your business, hold the answers to determining your cost of compliance. At CyberSheath we have developed a relatively simple process that generally takes less than an hour to complete. 

It starts with a facilitated conversation where we walk you through and fill out for you a comprehensive scoping document. The scoping document was developed through nearly a decade of experience delivering managed compliance services and the questions are geared towards the things we have seen in our experience drive the cost of compliance. You bring the appropriate person from your organization who can answer the questions, typically the “IT guy” and we do the rest. This takes anywhere from 30 to 45 minutes and the outcome is an accurate and actionable understanding of the cost and timelines for your organization to become compliant. In our experience, this is time well spent regardless of if you decide to move forward with CyberSheath as your managed compliance partner or not.

What You Get In Exchange For Your Time

A facilitated conversation that outputs a firm fixed price statement of work tailored to your organization’s people, processes, and technologies. It includes cost, schedule, and deliverables to understand how long and what it will take to get you fully compliant. Of course, we’d love to have you as another one of our satisfied customers, but it also allows you to understand what a comprehensive solution looks like if you’re talking to other vendors. 

Next Steps

Unsure of the cost and time for you organization to become compliant with NIST 800-171 and CMMC?  Schedule a meeting with a CyberSheath expert today.  To further your knowledge on how your organization compares with the cybersecurity posture of the DIB, please join our webinar, “How Secure if the Defense Industrial Base Supply Chain?” on February 3, 2021 at 9:00 am (PST) | 12:00 pm (EST) to access our data collected from hundreds of assessments to discover the concerning findings and best practices that lead to compliance.  Register Now.


How Secure is the DIB Supply Chain?


As 2020 ends, and if you missed them, we have rounded up five of our most popular blog posts. 

This past year was filled with discussion and updates regarding CMMC and NIST 800-171, so not surprisingly, these top posts cover NIST controls, the DFARS Interim Rule, as well as the steps required to ensure new Department of Defense (DoD) regulations are met.


Let’s get started.


The first two blog posts touch on NIST 800-171 and CMMC control compliance.

1. Top Five Most Difficult Controls to Implement Under NIST 800-171

As Prime and Sub-contractors begin to learn more about the regulations required to maintain or win new DoD revenue, you may wonder if your competitors share the issues you are running up against as you work to become compliant. Questions around the topmost complicated controls to implement, the why behind their complexity, and how you can overcome the obstacles they create are covered in this post. 


2. What is the CMMC Shared Security Model and Why is it Needed?

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but mainly without any oversight from the DoD. Specifically, the collection of Controlled Unclassified Information (CUI) on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD. This post explains how a CMMC shared security model assures coverage of all areas of the security environment to meet compliance.  


The next two blogs posts cover the DFARS Interim Rule before becoming law on December 1st. Though each post was designed to examine the interim rule, the guidance offered still applies since the rule’s transition into law.

3. DFARS Interim Rule: What You Must Do Immediately

The post goes through what is required of you today to be compliant with the updated DFARS clause that is now law.


4. DFARS Interim Rule and Emergency Justification FAQ: Everything You Need to Know

A robust, frequently asked question post with the answers necessary to understand the law’s impact on your business and what actions you must take to maintain competitiveness.


Lastly, our final post provides a step-by-step guide assuring the latest DoD regulation is met.

5. Step-by-Step Guide to SPRS NIST 800-171 Assessment Submittal

As of December 1st, the DFARS Interim Rule has become law; reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted in the submittal of their assessment to the SPRS. This post contains a step-by-step guide walking through successfully creating an account and submitting your assessment score to the government.

In short, yes; however, with caveats.

In 2019, the Department of Defense (DoD) announced the development of the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a maturity model based foundationally on the NIST 800-171 framework with some key evolutionary elements and integrations from NIST 800-53 and ISO 27001 among others, respectively. The change also incorporates the addition of third-party accreditation by cybersecurity assessors.

In January of this year, the Department of Defense (DoD) released the CMMC. This new maturity model defines five levels of increasing maturity and will require all defense contractors, both Primes and Subs, to comply with one of the five levels and attain independent verification of compliance prior to contract award. In an ongoing effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC is a significant change for DoD acquisition, cybersecurity, and policy. For small businesses in the defense industrial base, the challenge is potentially insurmountable.

CMMC mandates minimum cybersecurity standards for 300,000 plus commercial defense contractors around the globe and makes compliance part of the acquisition process, preventing contract award until an independent third-party has verified compliance. Given the magnitude of this change and the revenue impacting consequences of non-compliance, we choose Microsoft for our CMMC Managed Services Customers.

So now that the mandate is in place, how does this effect the cost of doing business with the US DoD?

In short, this mandate is supposed to be a ‘pass through.’

Katie Arrington Quote on CMMC

So, where is the source government verbiage documenting that a 7012 (NIST) or 7021 (CMMC) assessment or implementation is a reimbursable cost?

See below:


Regarding DFARS 252.204-7012 in 2013, DOD stated (see attached) that costs related to complying with DFARS 252.204-7012 are likely allowable and chargeable to indirect cost pools. (See page 69274). Since complying with CMMC level 3 is the equivalent to complying with DFARS 252.204-7012, it should follow that, at a minimum, the cost of Level 3 accreditation should be an allowable cost.  The exact verbiage from the law is provided here and the full section of the law is (attached):

  1. Allowable Costs Under Cost Accounting Standards (CAS) Comment: One respondent asked if the cost associated with compliance to the DFARS changes is allowable under CAS.

Response: Cost Accounting Standards address measurement, allocation and assignment of costs. FAR 31 and DFARS 231, specifically FAR 31.201–2, address the allowability of costs. There is nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR 31.201–2. While we cannot know in advance if a company will incur costs in accordance with FAR 31.201–2, there is nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR 31.201–2.

Comment: Several respondents stated that DoD needs to account for/provide funding for the additional costs of implementation.

Response: Implementation of this rule may increase contractor costs that would be accounted for through the normal course of business.


Regarding CMMC, “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.”

“The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.”

Clearly the government isn’t expecting to receive the benefits of CMMC and the new accreditation without paying for it but it will not be a layup to get your costs covered. You still have to win first, there is not prize for losing bids.

FAQ for CMMC ( )

The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted our clients in the submittal of their assessment to the SPRS.  To help suppliers navigate a potentially overwhelming process, we have created a step-by-step guide to showing how to successfully create an account and submit your assessment score to the government.


Step-by-Step Guide to SPRS Assessment Submittal

Step 1: Set up Your Account

First, you will want to visit the PIEE website. Click on REGISTER button on the top right of the screen.

PIEE Account Set Up

Next, accept the Privacy Act Statement and Terms and Conditions.

Select VENDOR from the options.

PIEE Vendor Options

If your company has a Common Access Card or Certificate, you can choose this option from the drop down. However, you can choose User ID\Password if you do not have the other information readily available.

PIEE Captacha

Enter in your security questions.

PIEE Security Questions

Provide your name and contact information.

PIEE User Profile

Enter supervisor (not required) and company contact information.

PIEE Supervisor Contacts

STEP 2: Access the Supplier Performance Risk System (SPRS)

Select SPRS (Supplier Performance Risk System) from the drop-down menu.

PIEE SPRS Drop Down Menu

STEP 3: Select SPRS Cyber Vendor User

PIEE SPRS Cyber Vendor

STEP 4: Add Roles

Next, click ADD ROLES. You will see a line at the bottom with a LOCATION CODE field. This is where you will enter the CAGE code for your company.

PIEE Add Roles

Enter in your CAGE code. If you have multiple CAGE codes, you will need to repeat Step 3 to add those additional lines.

PIEE Add Cage Code

Enter the justification for your account. Attachments would be used for justification and/or identification. However, do not attach your self-assessment here.

PIEE Justification

Step 5: Complete the Agreement

From here you will need complete the Agreement portion of the application. You should receive approval for your account promptly after completion. If you do not have a CAGE code or if the CAGE code, you have not been registered with an in-use DoD contract you may not be able to successfully create an account. If you run into this issue or your company has never won a contract, you can submit your self-assessment to *NOTE* Remember to submit your self-assessment via encrypted email.

Step 6: Admin Approval of Cage Code

Once you register you will have to have the admin who is linked to the cage code approve your account.

PIEE Log In Credentials

If you are not the Contract Administrator of the cage code and are unsure who that person is, you can look it up by going to the PIEE homepage and selecting FIND MY ACCOUNT ADMINISTRATOR from the NEED HELP WITH YOUR ACCOUNT? menu.

On the next screen you will need to input your cage code under the LOCATION CODE. You do NOT select any options from the APPLICATION or ROLE options. After the cage code has been inputted type in the numbers from the CAPTCHA Image and click SUBMIT.

PIEE Location Code

The next screen will populate who the Administrator of the cage code is and who you will need to contact for account approval. If there has not been an Administrator linked to the cage code you will need to contact PIEE support (1-866-618-5988) to get that provisioned.

You have successfully created your account. Once the account registration is approved by the cage code administrator you are ready to submit your score.

Step 7: Submit Your Assessment Score

Now that you have an account you will need to go to the PIEE website and click LOG IN.

Login Btn

Select the SPRS Icon. Then select NIST SP 800-171 Assessment from the options.


You will need to select the company name at the desired level (BASIC will be the most common unless your company went through an audit consisting of Government personnel). Once selected click ADD NEW ASSESSMENT from the menu.

PIEE Attach Assessment

Enter assessment details and click SAVE.

PIEE Enter Assessment Details

Next Steps

You have successfully submitted your assessment meeting the requirements under the DFARS rule and can now begin working toward your Plans of Actions and Milestones (POAM).

If you have not done an NIST 800-171 assessment and do not know your score, we are here to help. Please do not hesitate to reach out with any questions or talk through a project plan to avoid penalties and remain competitive in the DoD acquisition process.

At CMMC Con 2020, we heard about the threat from China, next steps for CMMC, and how no one in the Defense Industrial Base (DIB) has all the answers. After an immersion in why the CMMC is essential and what the requirements are, the one question remaining is: What now?

We wrote a book about how to get started — get your free copy here. It’s a plain-English guide to everything you need to know about achieving NIST 800-171 and CMMC compliance as a contractor in the DIB.

But next steps were a focus of the sessions at CMMC Con. The biggest takeaway: Get your self-attestation recorded or risk lost business.

One of the clearest wake-up calls came from Katie Arrington, who noted that “every vendor, every contractor as they are going to contract award will have to do a self-attestation and record it on the SPRS platform .… It’s the dawn of a new day.” She later emphasized: “All new awards as of November 30, 2020 have to have this self-assessment.”

This was a stark reminder of what the DIB has been hearing with increasing urgency for a couple months. We got the DFARS Interim Rule at the end of September. Starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th.

While everyone was supposed to be doing this for the past five years, a lot of this is new, like submitting self-attestations to the SPRS. Everyone is playing catch up. But that doesn’t mean everyone is taking it seriously just yet. And they might not until it hits their wallets.

Arrington said in her keynote there are signs of improvement in compliance, but in the assessments, we perform for our clients, we haven’t seen that. Reviewing our data, it’s clear contractors and suppliers have a way to go.

There are many reasons why. In part, the five NAICs codes cited in the DFARS interim rule are so broad they’re pulling in contractors that weren’t aware they had to comply: Research and Development in the Physical, Engineering, and Life Sciences; Engineering Services, Commercial and Institutional Building Construction, Other Computer Related Services, and Facilities Support Services. As a result, we have been working with construction and architecture firms that don’t understand why the rule applies to them.

Several other suppliers are stuck between a rock and a hard place. Organizations that are supposed to have met the standards for the last five years have been taking contracts, thereby certifying they are 100% compliant. But it was self-certification, and no one was checking. Now, do they score themselves honestly and open themselves up to False Claims Act liability for contracts they have taken? Or do they score themselves aspirationally and try to make up ground before anyone comes knocking on their door?

The answer is to get the process started as soon as possible. Read our book for more background. We’ve been performing assessments for years and understand what’s required and where and how most contractors need to improve.

The one silver lining from Arrington’s keynote is that the DoD recognizes the cost of security. She noted: “We are willing to pay for it, we are willing to say security is an allowable cost … build it into your rates.”

The challenge now, as we heard all day at CMMC Con, is to get it done on deadline.

RESTON, Va.—December 1, 2020—CyberSheath Services International today announced it has earned Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) certification. This new achievement fortifies the company’s position as the leader in CMMC compliance solutions and services meant to eliminate theft of intellectual property and sensitive information across the Defense Industrial Base (DIB) and Department of Defense (DoD) supply chain.

This news comes on the heels of CyberSheath hosting some 1,000 registrants for an incredibly successful CMMC Con 2020 virtual conference in November. CyberSheath also wrote a book on CMMC – the CMMC Companion 2020/2021 Edition, which is widely seen as a defense contractor’s playbook.

“By staying current on certifications and changes in compliance requirements, we’re positioned as the partner of choice for CMMC compliance,” says Eric Noonan, CEO of CyberSheath. “The RPO credential formally recognizes what our existing customers already know, that DoD contractors can trust in CyberSheath’s ability to deliver turnkey solutions for cybersecurity compliance requirements. Our managed services approach to CMMC and NIST 800-171 compliance meets suppliers where they are, significantly reducing cost and complexity for their business.”

The CMMC model is a set of mandatory cybersecurity requirements that all 300,000-plus DoD contractors must implement and then validate by an independent third party before contract award. The CMMC Accreditation Body, which is managing the CMMC rollout on behalf of the DoD, announced requirements and opened applications for multiple credentialed roles, including RPO, this summer.

CyberSheath’s staff have been working with the DoD since 2008 from the inception of voluntary cybersecurity requirements all the way through the current mandatory CMMC requirements, and the RPO credential is the next logical step in this journey.

According to the CMMC-AB, RPOs are authorized to represent the organization as familiar with basic constructs of the CMMC Standard, and are qualified as:

  • Aware — Employs staff trained in basic CMMC methodology.
  • Registered Practitioner Staffed — Offers non-certified consultative services.
  • Targeted — CMMC Assessment preparation.
  • Trusted — Bound by a professional code of conduct.

RPO status means CyberSheath has agreed to the CMMC-AB Code of Professional Conduct, can deliver non-certified CMMC consulting services, and is listed on the CMMC-AB Marketplace.

For more information or details, please contact


About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CMMC CompanionRESTON, Va.—November 24, 2020—CyberSheath Services International has published the 2020 / 2021 CMMC Companion guide to help defense contractors navigate and comply with new rules from the Department of Defense (DoD) to secure the Defense Industrial Base from cyberthreats. This new resource for defense contractors provides a clear, concise primer that summarizes the CMMC, discusses why the rule has been created, and proposes useful tips for its mandatory implementation.

“The defense industry has been clamoring for help as new rules emerge and the risk of losing out on defense contracts and revenue becomes more real,” says Eric Noonan, CEO of CyberSheath. “CyberSheath has been supporting compliance initiatives for defense contractors and other companies since 2012, and they’ve channeled that experience into this new resource. Anyone dealing with CMMC will gain enormous benefits in terms of understanding the history, terminology, approach, and future direction.”

Though the industry has been charged with meeting stringent requirements for years, recent updates with real deadlines have created urgency and angst among prime and subprime contractors. Not only are the prime contractors ensuring their own compliance, but they are also putting pressure on their suppliers to verify compliance. If defense contractors do not comply, they risk the security of the supply chain, national security, the ability to secure DoD contracts, and, thus, their revenue.

New rules under the recent DFARS interim law rule, coupled with requests from prime contractor demands mean suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POAM) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POAM items, and the expected closure date for the additional controls.”

The new CMMC Companion guide comes on the heels of the first-ever CMMC Con, a virtual gathering hosted by CyberSheath attended by some 1,000 CMMC partners, including government stakeholders, services providers, and contractors.

For more information or details, please contact


About CyberSheath Services International, LLC
Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at

CyberSheath is pleased to introduce our distinguished CMMC Con 2020 guest and powerful industry and national resource Richard Wakeman.  Richard Wakeman is the Senior Director of Aerospace & Defense for Azure Global Engineering and is the commercial industry lead for Azure Government, Microsoft’s cloud solution specifically engineered to meet US government compliance and security requirements. He specializes in the Defense Industrial Base adopting cloud services from Microsoft and is the Program Manager for the Microsoft Cybersecurity Maturity Model Certification (CMMC) Acceleration Program. Richard engages with Microsoft partners and customers end-to-end from engineering to drive adoption of Azure Government, Microsoft 365 GCC High and Dynamics 365 GCC High as solutions within the Microsoft US Sovereign Cloud.

Richard joined Microsoft in 2007 as a developer, identity and messaging expert at the dawn of Microsoft Online Services. Shortly after joining, he was engaged by the Exchange Product Group to lead cloud deployments worldwide for Live@edu as part of the Exchange Labs program, the predecessor of Office 365. He led the charge for the integration of MCS and Premier services with cloud offerings, becoming a Senior Architect for the Microsoft Enterprise Services Business Productivity Global Domain Solution Architecture Office. During the decade of tenure in professional services, Richard had an impact on deploying over 100 million seats into the Microsoft cloud.  He deployed the first Microsoft cloud customers, to include the first million seat organization in the public multi-tenant cloud to the first Government Community Cloud customer.

Among Richard’s main roles is to overview what Microsoft is doing with CMMC concepts.

Microsoft and CMMC

Microsoft has a deep and long history of supporting government customers and their unique mission requirements; in fact, about a year ago, Richard Wakeman wrote this blog specific to the Microsoft Cloud Service Offerings. Suffice it to say Microsoft uniquely understands the U.S. Government’s mission in a way that only decades of experience working alongside one another will allow. Microsoft understands the required people, processes, and technologies to support the DoD mission from both a compliance and operational perspective so well that it can often be difficult for anyone to lay it all out in one succinct communication. Microsoft has done more for the United States Government than any other cloud provider. Their decades of successful partnership with DoD have enabled them to provide resources that will enable your journey to CMMC compliance.

Here are three resources to get you started on your journey to CMMC compliance:

1. Shared Responsibility Model

CMMC compliance for many, if not most, companies will undoubtedly rely on the cloud at some point in the journey. When in the cloud, and frankly, on-premises, it is important to understand the concept of shared responsibility. When relying on cloud services, understanding the shared responsibility model is foundational to meeting and maintaining compliance. For an excellent blog on shared responsibility in the cloud start here and as you read think about which CMMC security tasks are handled by your cloud provider and which tasks are handled by you. Now for the many companies that rely on Managed Service Providers, Managed Security Service Providers, or otherwise defined Third-Party Providers, how are you extending the shared responsibility to those entities?

Almost no MSSPs understand CMMC in the context of the shared responsibility model. To my knowledge, CyberSheath is the only one that has built our entire CMMC management platform around Microsoft Azure technology, which is detailed here along with a detailed breakdown of how CMMC has been 13 years in the making.

CMMC compliance isn’t a “go it alone” model and requires an understanding of the shared responsibility model, regardless of your CMMC compliance level. Rare is the company that does everything in-house without exception.

2. Azure Blueprints

Azure blueprints enable customers to easily create, deploy, and update compliant environments and leverage the enormous Microsoft investment in data security and privacy. Microsoft invests more than USD 1 billion annually on cybersecurity research and development, employs more than 3,500 security experts entirely dedicated to your data security and privacy and Azure has more certifications than any other cloud provider. View the comprehensive list.

Blueprints simplify largescale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, role-based access controls, and policies, in a single blueprint definition. Customers can easily apply the blueprint to new subscriptions and environments and fine-tune control and management through versioning. Specific to CMMC, blueprints present a tremendous advantage for customers who want to quickly address the majority of the CMMC Maturity Level 3 requirements.

The NIST SP 800-171 R2 blueprint sample provides governance guard-rails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls. As many readers know, approximately 85% of the CMMC Maturity Level 3 requirements are essentially the NIST 800-171 security requirements, so this blueprint can be a force for progress in your CMMC compliance efforts.

3. Office 365 GCC High and DoD

As many defense contractors already know, CMMC was, in part, created to address the security of CUI, and Microsoft has long been a partner with DoD working to protect this information.

To meet the unique and evolving requirements of DoD and contractors holding or processing DoD controlled CUI or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DoD environments. Microsoft GCC High and DoD meet the compliance requirements for the following certifications and accreditations:

  • The Federal Risk and Authorization Management Program at FedRAMP High, including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
  • The security controls and control enhancements for the United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).

DoD Office 365 subscribers will receive services provided from the DoD exclusive environment that meets DoD SRG L5. Non-DoD subscribers will receive services from the U.S. Government Defense environment, which is assessed at L5, but uses L4 segmentation.

There is much debate and often confusion on whether CMMC requires GCC high, and it is one of many issues that highlight the need for a Managed Compliance Partner, but the point is that Microsoft has long been the partner of choice for the DoD in addressing this challenge.

For additional information join us at CMMC Con 2020

For additional information on Microsoft’s CMMC acceleration, join Microsoft’s Richard Wakeman, Senior Director of Aerospace & Defense for Azure Global, on November 18th at CMMC Con 2020.  Mr. Wakeman will host a Technology Spotlight session dedicated to discovering how Microsoft solutions are assisting the DIB in government compliance.   Register Now.

The CyberSheath team has been a part of what today is known as the Cybersecurity Maturity Model Certification (CMMC) since it was an entirely voluntary initiative in 2008, consisting of eight and then sixteen of the largest prime contractors in the DoD supply chain. At the time progress was slow because this kind of cooperation between DoD and industry was new and breaching unchartered legal ground. Progress was sluggish, participation was voluntary, and we literally shared “threat” information via FedEx as the best we could do until we had the infrastructure in place to do better. So having been in partnership with the DoD for twelve years, first as the global CISO for BAE Systems and now as one of the largest managed CMMC Compliance MSSP’s working with small and mid-sized businesses, I know from experience that the progress made in the last eighteen months is extraordinary. The foundation of partnership between DoD and industry built up over the last decade-plus was crucial. Still, the ultimate accelerant to our collective progress is Ms. Arrington’s unwavering drive to get this done.

When I first heard Ms. Arrington speak at the Professional Services Council in early 2019. She was promoting the idea of independent third-party audits of defense contractors to enforce accountability of supply chain security. I thought it was an idea that would be quickly killed off by the bureaucracy, industry associations, and lobbyists. I stand here eighteen-plus months later in awe of what has been accomplished. As the driving force behind CMMC, Ms. Arrington will be featured as the keynote speaker at CMMC Con 2020 in an extended interview format answering many questions that have yet to be asked in the countless webinars we have all had too much of.

Ms. Katherine “Katie” Arrington is a member of the Senior Executive Serves and serves as the Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)). In this position, she serves as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to align acquisition and sustainment cyber strategy and efforts to enhance cybersecurity within the Defense Industrial Base.

As the CISO(A&S), Ms. Arrington is responsible to ensure the incorporation of integrated security/cyber efforts within USD(A&S) with the purpose of providing a focused and streamlined governance approach, provide a central coordination point and common compliance standard that serves to synchronize the various existing disparate cybersecurity efforts and standards across the Department and Industry as it relates to Department of Defense acquisition and sustainment efforts.

Ms. Arrington is leading efforts that help ensure a secure Defense Supply Chain through the implementation of Trusted Capital vendors and Supply Chain Risk Management principles, enhance Defense Industrial Base security and resilience, and establish a common cybersecurity standard within Departmental acquisition efforts. She also synchronizes these efforts across the Department, other federal agencies, and works with legislators to ensure Departmental authorities and actions align and support the nation’s security goals.

Before assuming her position as CISO(A&S), Ms. Arrington has an extensive career as a legislator and senior cyber executive in the private industry. Ms. Arrington was a 2018 candidate for the US House of Representatives for South Carolina and served for 2 terms as a South Carolina State Representative. She has extensive experience in cyber strategy, policy, enablement, and implementation across a wide range of business sectors and governmental levels. She has over 15 years of cyber experience acquired through positions at Booz Allen Hamilton, Centuria Corporation, and Dispersive Networks. These positions have given her a unique experience of supporting and work with the government at large, small, and non-traditional contracting firms. Ms. Arrington is married to Robert and resides in Summerville, South Carolina, and a proud parent of three children and grandparent to four grandbabies.

Please join us on November 18th for Ms. Arrington’s keynote and our expert line-up as they engage in conversations focused on DFARS compliance, the threat from China, how cybersecurity impacts the future of doing business with the DoD, and a “how-to” session for small and medium-sized businesses struggling with NIST 800-171 and CMMC. Register Now.

RESTON, Va.—October 29, 2020—CyberSheath Services International today announced that it has been selected to join the Microsoft Intelligent Security Association (MISA) as one of the association’s first CMMC-focused managed security service providers.

“MISA members are cybersecurity industry leaders,” said Eric Noonan, CEO at CyberSheath. “They’re unified by the common goal of helping secure our customers by offering unique and valuable customized expertise and making the association more effective as it becomes more diverse.”

CyberSheath has extensive Microsoft expertise, including professional and managed security services for a wide array of U.S. defense contractors, and was nominated for MISA for their managed security service offerings for Azure Sentinel and Microsoft Defender for Endpoint. CyberSheath uses a Microsoft technology stack fueled by Microsoft Azure Sentinel, the cloud-native Security Information and Event Management (SIEM) solution that quickly identifies security threats across hybrid enterprises.

MISA began as an ecosystem of independent software vendors (ISVs) that integrated their security products with Microsoft’s to better defend against a world of increasing threats. Due to increased demand for a closely interwoven security ecosystem, the association is growing and launching an invitation-only pilot program for select managed security service providers.

MISA plays a vital role in reducing the cost and complexity of integrating disparate security tools. Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection without requiring day-to-day involvement of in-house security teams,” said Andy Shooman, COO at CyberSheath. “It’s another important step in both strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”

“The Microsoft Intelligent Security Association has grown into a vibrant ecosystem comprised of the most reliable and trusted security software vendors across the globe,” said Rani Lofstrom, Senior Product Marketing Manager, Microsoft Security. “Our members, like CyberSheath, share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster.”

About CyberSheath Services International, LLC

Established in 2008, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



Press Contact:

Kristen Morales

CyberSheath is pleased to introduce CMMC Con 2020 attendees to one of our keynote speakers and CMMC discussion panelists, retired Brigadier General Dr. Robert Spalding. As emphasized by his experience, Dr. Spalding is an expert on national security and highly-qualified to speak on China’s role in the theft of intellectual property across the defense industrial base. Far too often, the conversation on CMMC is mired in legislative workings, never addressing the “why” behind the need for CMMC in the first place. We felt the “why” is an often-overlooked agenda item and could think of no better speaker to address this topic than Dr. Spalding.

Dr. Spalding has served in senior positions of strategy and diplomacy within the Defense and State Departments for more than 26 years, retiring as a brigadier general. The chief architect for the Trump Administration’s widely praised National Security Strategy (NSS), and the Senior Director for Strategy to the President at the National Security Council, Dr. Spalding, is a national security expert, patriot, and entrepreneur. We are thrilled to have him at CMMC Con 2020 as our honored guest.

His work has been published in The Washington Post, The Washington Times, Foreign Affairs, The American Interest, War on the Rocks, FedTech Magazine, Defense One, The Diplomat, and other edited volumes. His Air Power Journal article on America’s Two Air Forces is frequently used in the West Point curriculum.

Dr. Spalding is a Life Member of the Council on Foreign Relations. He has lectured globally, including engagements at the Naval War College, National Defense University, Air War College, Columbia University, S. Rajaratnam School of International Studies in Singapore, Johns Hopkins Applied Physics Laboratory, and other Professional Military Educational institutions. Spalding received his Bachelor of Science and Master of Science degrees in Agricultural Business from California State University, Fresno, and holds a doctorate in economics and mathematics from the University of Missouri, Kansas City. He was a distinguished graduate of the Defense Language Institute in Monterey and is fluent in Chinese Mandarin.

Please join us on November 18th for the LIVE session(s) with Dr. Spalding. Through the liberal use of vignettes and examples, he will eloquently detail the modern threat posed by China to the US Defense Industrial Base. Register Now

Dr. Spalding is the author of an authoritative book on the same topic called “Stealth War,” which is available here.

On September 29, 2020, the Department of Defense (DoD) issued an interim rule (Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)) implementing two separate requirements for defense contractors related to cybersecurity that change acquisition. The two requirements give contractors much-needed clarity around how to prioritize their efforts to improve cybersecurity in alignment with DoD acquisition. The DFARS interim rule provides timelines and scoping information related to the Cybersecurity Maturity Model Certification (CMMC) implementation, enabling contractors to plan and implement against those requirements accordingly. In priority order and plain English here are both the new requirements and what your company should be doing now; for a deeper look at the 89-page rule please read our FAQ.

What You Should Do Immediately to Address the DFARS Interim Rule

Let’s start with the answer; get compliant with NIST 800-171 by implementing all the security requirements defined within that publication. Immediately actionable is the requirement to submit your NIST 800-171 assessment, using the DoD approved scoring methodology, through the Supplier Performance Risk System (SPRS).

First, understand that this interim rule immediately impacts all of your future DoD awards if they include DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. This includes contracts, task orders, options, etc. Below is the language directly from the DFARS Interim Rule as to scope and impact for anyone who thinks this does not apply to them:

“The contracting officer shall verify that the summary level score of a current NIST SP 800-171 DoD Assessment (i.e., not more than three years old, unless a lesser time is specified in the solicitation) (see 252.204-7019) for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order are posted in Supplier Performance Risk System (SPRS), prior to:

(1) Awarding a contract, task order, or delivery order to an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at 252.204-7012; or

(2) Exercising an option period or extending the period of performance on a contract, task order, or delivery order with a contractor that is required to implement the NIST SP 800-171 in accordance with the clause at 252.204-7012.”

Ideally, you will submit your scored assessment within the next 60 days but at a minimum, it is required before your next expected DoD contract award so timing is unique to each company. Information that you are required to share and enter with the results of your Basic NIST SP 800-171 DoD Assessment into SPRS includes:

  • Date of the assessment
  • Summary level score (e.g., 95 out of 110, NOT the individual value for each requirement)
  • Scope of the Basic Assessment – identify each system security plan (security requirement 3.12.4) supporting the performance of this contract. All company CAGE codes must be mapped to the appropriate system security plan(s). Additionally, a brief description of the planned architecture may be required, if more than one plan exists
  • Plan of Action Completion Date – a date that a score of 110 is expected to be achieved for each system security plan assessed (i.e., all requirements implemented) based on information gathered from the associated plan(s) of action developed in accordance with NIST SP 800-171 (security requirement 3.12.2)

Why You Should Immediately Address these Aspects of the Interim Rule

Given the level of information that you are required to expose to the government contractors should have a sense of urgency around getting started with NIST 800-171 compliance if they have not already. If you score poorly it’s doubtful that your general counsel, contracts, or other business partners will want a substandard assessment sitting in a government database potentially putting you at a competitive disadvantage. Scoring can range from +110 (Perfect) to -203 (Failure), so you will want to use these next 60 days to make improvements and produce the best score possible before you submit your assessment.

Scoring for Basic, Medium, and High NIST SP 800-171 DoD Assessments is the same. The scoring methodology security requirements are weighted so just looking at some of the highest weighted requirements can give you a sense of how much work you might have ahead of you. If you are responsible for NIST 800-171 compliance at your company it’s easy to quickly determine how bad, or good, you might fare by looking at the scoring methodology and comparing that to what you are, or are not, doing today. Of the hundreds of assessments CyberSheath has done over the last eight years we have observed, on average, 70% non-compliance. Take a quick look at these requirements and associated values and compare them against what you know to be true for your organization, did you just lose 35 points before you even started your assessment?

DFARS Interim Rule - Security Requirements

These are just 7 of the 110 security requirements but they all require hard work and dedicated resources to become compliant. Again, this represents only 35 of 110 possible points so hopefully, our point is clear, implementing these security requirements takes time.  The DFARS Interim rule represents an emergency for non-compliant DoD contractors.

For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on non-compliance.

Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

It’s been quite a week.

The DoD released an interim rule to “amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.”

The DoD requested, and OMB authorized, emergency processing of the collection of information tied to this rule. The emergency justification impacts all DoD contractors in the long term and short term as they will now be required to prove and submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. Additionally, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

The interim rule, effective 60 days from publication, has triggered a number of questions from contractors. Here are the answers we believe we know, the answers that we aren’t certain about, and the answers that are unclear, but we can surmise based on past experience.


DFARS Interim Rule and Emergency Justification FAQ


DFARS Interim Rule and Emergency Action: What We Believe We Know

What is the nature of the emergency justification?

The government is finally asking the defense industrial base to submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. In the past, the DoD trusted, with almost no verification, contractors to adhere to the rules and there was no compulsory submission required to prove compliance. The nature of the emergency is “The aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DoD missions.”

Why did the change occur?

Explicitly, to make sure two things are happening:

  • The supply chain is making strong improvements to security and meeting current contractual commitments
  • To motivate contractors who have ignored the current requirements by forcing information collection

But the interim rule also codifies into the CMMC. The onboarding of the CMMC structure will ramp up over the course of the next five years. The DoD can’t afford to wait that long to ensure American IP is protected so they will move to collect evidence of compliance with DFARS clause 252.204-7012 in parallel to CMMC ramp up.

What immediate steps should a covered entity take after this rule change?

First, reconcile how long it’s been since you’ve self-attested in line with the 2017 DFARS rule and more specifically NIST 800-171. A company that has fully implemented all 110 NIST SP 800-171 security requirements, would have a score of 110 to report in Supplier Performance Risk System (SPRS) for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subcontract the total value from 110 to determine their score. The  NIST SP 800-171 DoD Assessment Methodology is available here.

Your properly scored Basic Assessment and self-attestation should show you have made a habit of improving your environment over the last three years. If you have not shown improvement on your Plan of Actions and Milestones (POA&Ms), you need to take steps to demonstrate what you are doing to make progress. Ideally, you should have at least three self-assessments from the past three years against DFARS 252.204-7012, and more if you’ve made major changes to your environment that would trigger another self-assessment.

Check out our article on the five steps every organization should take to meet the NIST 800-171 requirements.

What role do my Third-Party Providers (TPPs) have in my attestation?

A major role. You have to attest that your TPPs who handle CUI meet the same or higher security standards as you do.

The biggest stumbling block for many contractors is their TPP contract language. Any organization with a DoD contract that’s handling controlled unclassified information (CUI) must have specific contract language for any of their TPPs that handle CUI, requiring them to meet or exceed the same security standards you do. How many MSPs or MSSPs are doing that today…very few.

In fact, the interim DFARs rule has this verbatim clause buried within the latest 89-page update:

2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800- 171 DoD Assessment, as described here, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. (3) If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology, to for posting to SPRS along with the information required by paragraph (d) of this clause.

Can the government ask for my managed services contracts to demonstrate compliance with the DFARS verbiage inclusion?

Not only can they — they almost definitely will.

Is this rule retroactive? E.g. does this cover time periods of the previous self-attestation?

The truth is that this behavior and level of compliance were supposed to be in place all along and this action simply asks you to prove you’ve been doing it. This is where some contractors will find themselves between a rock and a hard place if they have self-attested but never really implemented NIST 800-171.

DFARS Interim Rule and Emergency Action: What’s Unclear

Does everyone who previously self-attested now submit documentation?

No, you don’t have to submit documentation today to the government but moving forward all DoD awards will require the submission of, at a minimum, a Basic Assessment.

It’s unclear why documentation has not been required before now. Maybe the government didn’t want to have access to the information or didn’t have a program to evaluate the information, or maybe the risk level wasn’t the same as it is today. It is also possible that lobbyists and industry trade associations fought off this requirement.

What needs to be submitted when to the government and when?

At a minimum, contractors will need to produce their assessment using the standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented. There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

Contractor assessments results are documented in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility into the scores of Assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.

The presumption is that the DoD wants what’s typically asked for in an audit or what prime contractors are asked to provide when they get a subcontractor: A System Security Plan (SSP), any POA&Ms, and attestation for where the program stands against NIST 800-171.

What does Basic / Medium / High mean in the release verbiage?

There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

How does the interim rule affect CMMC roadmap and compliance?

The rule builds upon the NIST SP 800-171 and DoD Assessment Methodology mandating the CMMC framework which adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at  52.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the required document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025.

If the government finds fault with your self-attestation documentation, what are the ramifications?

Contractors who are not accurate in their assessment reporting could be subject to the False Claims Act (FCA) which imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal government, or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. This is not theoretical, read more on the most visible DoD FCA case for cybersecurity.

Can an outside provider or third-party submit my documentation on my behalf?

This is unclear, but probably not. The government doesn’t want you to have the ability to say your service provider submitted it incorrectly or made material errors.  An outside provider can prepare the materials you can send along yourself, much like a CPA might prepare your taxes, but you sign them.  The exception would likely be the Medium or High Assessments that are completed by the Government in which they would submit the results.

What is the process if you want to dispute your compliance rating under the pre-CMMC assessment process?

We don’t know the answer to this one. There needs to be some sort of arbitration or dispute process to go through judgments against you and revisions to documents, as you might do with taxes, but the process is not obvious right now.

Is there any arbitration or a process of procedural review of negative findings?

Same answer as above — as of right now there is not an obvious process, but there should be one.


DFARS Interim Rule and Emergency Action: What We Know

What is the difference between DFARS 252.204-7012 and the new DFARS 252.204-7021?

7012 is universally applied and 7021 requires a demonstration of maturity based on the risk level of the contract.

7012 involves self-attesting and self-submitting documentation, and 7021 requires third-party assessments, but also self-submitting.

7012 is based on policing and enforcement and 7021 is based on the winning of revenue and contracts.

7012 allows tolerance for not having certain controls in place at the moment so long as you’ve identified those and you have a plan to rectify them, and 7021 is intolerant — you must not only have evident practices in place but also show they’re habitually deployed.

In five years, 7012 will be sunsetting, and 7021 will be sunrising. DFARS 252.204-7021 is the new law of the land.

How many CMMC driven contracts are expected in FY2021? 

 The rule says:

“Based on information from the Federal Procurement Data System (FPDS), the number of unique prime contractors is 212,657 and the number of known unique subcontractors is 8,309. Therefore, the total number of known unique prime contractors and subcontractors is 220,966, of which approximately 163,391 (74 percent) are estimated to be unique small businesses. According to FPDS, the average number of new contracts for unique contractors is 47,905 for any given year.”

The document also includes a chart showing how many contracts to expect at each CMMC level each year:Proposed-CMMC-Contracts-by-Levels+Year

Will my self-disclosures be made public? Is it disclosable in a FOIA request?

 There is no mention of that in DFARS 252.204-7021, but the feeling is that the information will not be generally available to the public, but it might be subject to a FOIA request.

When you are self-attesting and going on record about what you do and don’t do from a security perspective, that invites hackers to open up the database and see where organizations are vulnerable. This information could also materially affect the way companies and investors view mergers and acquisitions, due diligence, and so forth. So, it is unlikely that the self-disclosures will be truly public.


The Bottom Line

Time’s up to get compliant or forgo DoD revenue, it is that simple.  The government is getting more aggressive in cracking down on cybersecurity to protect American assets throughout the defense industrial base and has been very specific as to their expectations.

The DoD means business. The time to take action is now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your assessment gets – and stays – on track.


Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is here. Often referred to as CMMC this long-awaited and hotly debated Interim Rule harmonizes legacy (DFARS clause 252.204-7012) and future (CMMC) requirements with the following statement:

“DoD has developed the following assessment methodology and framework to assess contractor implementation of cybersecurity requirements, both of which are being implemented by this rule: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework.”

Specifically, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

Assessment Methodology to ensure NIST 800-171 Compliance

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, included in all solicitations and contracts, requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems” or those that “are not part of an IT service or system operated on behalf of the Government”, i.e your contractor networks, labs, cloud environments, etc.  This clause has long existed but rarely been enforced by DoD or adhered to by contractors. Rare contractors who have been audited for compliance have been evaluated against the NIST SP 800-171 DoD Assessment Methodology for assessment of a contractor’s implementation of NIST SP 800-171 security requirements. The NIST SP 800-171 DoD Assessment Methodology is available, here.

If you are not familiar with the assessment methodology it is probably because you have not been audited or have done a quick internal assessment that did not adhere to the scoring defined within the methodology. Time to get familiar with it. Again, directly from the interim rule:

“The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”

The results of Assessments are documented in the Supplier Performance Risk System (SPRS) giving DoD visibility into completed assessment scores and an ability to verify that a contractor has a current (i.e., not more than three years old) assessment on record prior to contract award. This is something that contractors should pay careful attention to. Because of the widely unenforced existing compliance requirements, most contractors have already self-attested to compliance without ever having submitted an assessment or having been audited. This silent majority is now in the position of being required to, at a minimum, submit a self-assessment that will go into SPRS. How will contractors address the fact they have already attested to compliance and now have an assessment that shows, in our experience, on average 70% non-compliance? Squaring this conflict will require some thoughtful planning and time with your general counsel.

New Interim Rule Outlines the Purpose of CMMC

Nearly everyone expected the new rule to force CMMC implementation (it does with a new DFARS subpart (Subpart 204.75, Cybersecurity Maturity Model Certification CMMC) and mandating DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, for use in all solicitations and contracts or task orders or delivery orders) it also thoughtfully describes a long transition from NIST 800-171 to CMMC.

The purpose of this blog is not to describe CMMC in detail but for those interested in an overview please look here. What contractors really need to know right now about CMMC is that DoD is implementing a phased rollout of CMMC, essentially making it an October 1, 2025 requirement. Up until September 30, 2025 inclusion of a CMMC requirement in a DoD solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. On October 1, 2025, and thereafter CMMC will apply to all DoD solicitations and contracts, except those exclusively COTS items.  After this date, DoD contracting officers will not award, or exercise an option on a contract without a current (i.e. not older than three years) certification for the required CMMC level. Additionally, and as expected, CMMC certification requirements are required to be flowed down to subcontractors at all tiers.

The new CMMC has always been about assurance, giving DoD a way to ensure all of their suppliers are adequately protecting sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk and accounting for information flow down to its subcontractors in a multi-tier supply chain. Assurance, essentially third party validation, was and is required because DoD has proven that contractors self-attestation of compliance was optimistic to be generous. Few contractors actually implemented NIST 800-171 and the DoD is no longer going to accept that risk for its supply chain. As the new rule describes the purpose of CMMC:

“CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.”

Key Takeaway

DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  DoD acquisition just changed and they are deadly serious about securing the supply chain, this is a call to action.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance when it arrives.

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance. Download our 5 Step Guide to CMMC preparation that assures compliance with NIST 800-171.

5 Steps to CMMC Preparation

The Department of Defense (DoD) has instituted an emergency action, possibly to confirm what is widely already known on cybersecurity compliance among the defense industrial base (DIB). Self-certification for defense contractors has enabled “barely there” cybersecurity unless you are one of the small number of contractors who took it seriously.

The action, approved by the Office of Information and Regulatory Affairs (OIRA), requires offerors and contractors to assess their compliance with DFARS clause 252.204-7012 and NIST 800-171. All offerors and contractors must submit a basic self-assessment, or a medium or high assessment conducted by DoD assessors. Details are scarce and connection to the Cybersecurity Maturity Model Certification (CMMC) is anyone’s guess, but for contractors who have previously self-certified as compliant but not actually implemented the controls, this could be problematic, to say the least.

The DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  This emergency rule isn’t just a call to action. It’s the DoD calling the DIB’s bluff. If anyone doubted the seriousness of the DoD’s efforts to avert data loss, this emergency action should be evidence enough that they want the data to confirm or refute claims of compliance.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts. Many contractors kept waiting for the “cyber police” to show up and when they never came it was largely business as usual. The cyber police are here and it’s time to get your house in order.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance if/when that it arrives. If it never arrives, an unlikely outcome, you will at least have met your current contractual obligations.


So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance.


Follow our five-step process for success:

1. Assess current operations for compliance with NIST 800-171.

Start with a gap assessment of your current people, processes, and technology against compliance with NIST 800-171. This assessment will:

  • Directly link to Control 3.12.1 of NIST 800-171, which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
  • Give you a clear view of your current compliance with the remaining controls.
  • Generate a System Security Plan (SSP) and associated Plan of Actions & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.


2. Write your SSP.

NIST 800-171, Revision 1, requires contractors to develop, document, and periodically update SSPs that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Initially, your SSP will be an aspirational document. You’ll find that many of the 110 required NIST SP 800-171 controls are not fully implemented in your environment. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.


3. Document your POA&Ms.

Also a requirement of NIST 800-171, Revision 1, your POA&Ms will detail your plans to correct deficiencies, reduce or eliminate vulnerabilities, and achieve compliance.

These plans can be documented in a variety of formats, but at a minimum, they should detail:

  • The deficiency identified
  • The plan to correct the deficiency (people, processes, and/or technology)
  • Dates by which you intend to be compliant against the specific deficiency

Well-documented POA&Ms will enable eventual mapping to CMMC maturity levels.

Note that SSPs and POA&Ms can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained.


4. Implement the required controls.

Execute your POA&Ms and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and depending on your resources, you can benefit from working with a third party to implement the controls.

If you’re looking for an effective partner, make sure to ask the following questions:

  • Have they implemented the NIST 800-171 controls for similar-sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
  • Can they provide several references?


5. Maintain Compliance.

Once you’ve made it this far, it’s time to plan for ongoing compliance. You’ll need to achieve the following:

  • Documented and automated compliance reporting
  • Support Request for Proposal (RFP) and other acquisition-related business development activities
  • Ongoing operational expense related to maintaining compliance


For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on noncompliance. As we look ahead to CMMC, taking action now will put you in a better position when the next action arrives.


In 2019, the Department of Defense (DoD) officially announced the introduction of a Cybersecurity Maturity Model Certification (CMMC). This unique maturity model is designed to improve the cybersecurity regarding Controlled Unclassified Information (CUI) within supply chains, especially as it applies to the Defense Industrial Base (DIB).

Version 1.0 of the CMMC framework was released in January 2020. By June 2020, CMMC requirements have started to be included in DoD and later GSA Stars Contracts Request for Information (RFIs) and Requests for Proposals (RFPs). Think about that for a second, within six months of creating a new model to assess the cybersecurity of defense contractor networks the language has started appearing in official acquisition documents. The CMMC train has left the station, in a hurry.

CMMC is the latest entry in regulations from a decade long process of public/private partnership between the DoD and DIB. Critically, the DoD is moving away from contractor led self-assessment and reporting to compulsory third-party certification pre-contract award. You will need certification, from an independent third party for future DoD contracts. (See graphic below.)


Who Must Comply?

As of this post, CMMC was still working its way through the rulemaking process for DFARS (Defense Federal Acquisition Regulation Supplement), which is expected to be released in November 2020. That said if your company provides products being sold to the Department of Defense (DoD) you are required to comply with the minimum cybersecurity standards set by the current DFARS clause 252.204-7012. All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts. DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations,” manufacturers must implement these security controls through all levels of their supply chain. The silver lining is that CMMC builds on NIST 800-171 so when in doubt that is where you should start as it’s the current legal requirement.

If your DoD contracts do not require you to process, store, or transmit CUI, you must still protect Federal Contract Information (FCI) under Federal Acquisition Regulation (FAR) 52.204-21. Examples of FCI include contract documents, schedules, billing information, etc. The new DFARS clause is expected to combine the cybersecurity requirements from DFARS 25.204-7012 and FAR 52.204-21 into a common framework based on the CMMC model.

Government contractors are now being asked to effectively police their supply chains to address, among other risks, cybersecurity.  Supply chain management is now a key element to ensuring a company’s compliance with laws, regulations, and its internal policies, and to identify risks that could impact a company’s ability to perform, as well as its reputation. The fact that supply chains are global, increases the risks and demands on companies.

In fact, they must not simply police their supply chain, but they are legally bound to use specific contract verbiage with providers who may interface with CUI information which is as follows:

DFARS 252.204-7012(m):  “Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information,…”

Keypoints to this law:

  1. All third-party providers (TPPs) and Managed Security Service Providers (MSSPs) must be obligated to DFARS if they house, control, process, or maintain CUI.
  2. You are not in compliance with CMMC if your downstream MSSPs / TPPs are not compliant.
  3. You are not compliant if you don’t have contractually compliant language between you and the TPPs / MSSPs.

Navigating the dizzying world of different CMMC solutions can be a daunting task.  The recommended solutions and vendor mix can be very hard to understand.  Now let’s investigate these key points made above in more detail:

Pivotal question: Does my TPP or MSSP need to be compliant?

All TPPs and MSSPs must be obligated to DFARS if they house, control, process, or maintain CUI.   What exactly is CUI?  Let’s read on:

I want to repost an excerpt from our key business partner Microsoft in which Richard Wakeman provides a blog on CUI as follows:

What is Controlled Unclassified Information?
If you have not read the CUI History from the National Archives and Records Administration (NARA), I highly recommend it.  It’s a short read, and helpful for context. To summarize, before the advent of CUI, there was a myriad of autonomous Federal agencies and departments that had each developed its own practices for protecting sensitive information.  This non-conformity made it extremely difficult to share information with transparency throughout the Federal government and its stakeholders, such as the Defense Industrial Base (DIB). The CUI program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  Ultimately, NARA oversees the CUI Program and is primarily scoped to the Federal executive branch agencies.  Major contributors to the program include the DoD, the Department of Energy (DoE), the Department of Homeland Security (DHS), the Department of State (DoS), etc. NARA defines CUI as: “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”Presidential executive orders evolved to a rule published in 2016 called “32 CFR Part 2002 Controlled Unclassified Information”.  You can read about it here in the Federal Register. 32 CFR Part 2002 prescribes the CUI Program markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  You can find the list here.
Microsoft Summary CUI Registry

3 Key Questions for your MSSP to indicate CMMC Compliance

Question 1: Is the CUI housed in USA Sovereignty? –  Or – Where are the location of all operations?  Perhaps another way to ask this question is by querying if the vendor has any operations located outside of the US?

A key attribute to the US DoD supply chain is understanding where their supply chain is located, and whether the location may provide some risk to the DoD supply chain.  U.S. companies that do business abroad or handle overseas data will now have to comply with a host of new cybersecurity rules after China became the latest country to impose regulations on firms operating there.

This follows hot on the heels of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which came into force in the U.S. in March 2018, and the European Union’s (EU) General Data Protection Regulation (GDPR), introduced two months later.

The implementation of these new protocols is driven by the recent surge in cyberattacks and, in the case of China, greater protectionism, exacerbated by the U.S. trade war, as the world becomes more divided.   Regardless, there are many cybersecurity firms that maintain global operations and software maintenance stations in unassuming regions of the world and this must be understood before you select your vendor.


Question 2:  Like Amazon Web Services, Microsoft and Google, do you separate out your government CUI customers from the infrastructure of all of your other customers? Does your provider know how to make the infrastructure comply with the various forms of CUI?

Here is the issue with mixed tenants of cloud environments and the protection of CUI which was quoted by Microsoft’s blog:

“Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently.  Our rationale is that CUI does include ITAR regulated data, and the DoD requires DFARS 7012 to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud.  It’s that simple.  It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud.  It will be your sole responsibility to prove and maintain compliance for it in other clouds.”


Question 3: Have you placed the DFARs compliant verbiage on CUI into the contract with the MSSP / TPP?   Was this a standard offering in verbiage in their contracts or non-standard?

I believe this is self-explanatory however to make this point very poignant let’s look at the prescribing law:

DAU Related Policies Cloud Computing

For many organizations, their technology, and the corresponding data are among their most valued assets. An organization’s CMMC / CUI Cybersecurity Program is an ever-evolving initiative that attempts to standardize the security data protection practices across supply chains including third-party providers and managed security service providers.  If your TPP or MSSP cannot meet the full requirements of CMMC certification, it is unlikely that you will be able to successfully complete a CMMC certification assessment. When choosing TPP’s or MSSP’s, choose wisely, your DoD revenue may depend on it.

Looking for an MSSP to partner with on your journey to CMMC preparation?

Join CyberSheath’s Eric Noonan, CEO, and Carl Herberger, VP of Security Services, dive into CyberSheath’s CMMC Managed Services for Defense Contractors using Microsoft Technology Stack during our upcoming webinar September 30, 2020, at 9:00 am | 12:00 pm EST > Save Your Spot

CMMC Compliance Managed Service Launch - Register Now

The U.S. has to up-level its cybersecurity. That’s the gist of what we’ve been hearing from multiple sources, including congressional commissions and the Department of Defense (DoD). The alarm bells — and the calls for more stringent security practices — will only grow louder.

The Cyberspace Solarium Commission used the U.S. COVID-19 response as an opportunity to assess the nation’s preparedness for a major, debilitating cyberattack. It highlighted the need to implement more than 30 recommendations from a previous report, as well as five more based on its findings around the pandemic.

Eric Noonan, CyberSheath’s CEO, will be speaking about those kinds of preparations for a national cyberattack against the U.S. on a panel at Cybersecurity Forum 2020. He will be joined by Paul Anderson of Port Tampa Bay, and Michael Wee of Northrop Grumman to talk about lessons learned from the pandemic, the state of cybersecurity planning and organization, and where to focus efforts to better prepare for a major attack. Register for the event here and tune in on Wednesday, September 16 at 2:15 pm ET, if you’d like to learn more.

Another ongoing effort to shore up security is the Cybersecurity Maturity Model Certification (CMMC). This is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper level of security to better protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

As founder and CEO of CyberSheath, the Title Sponsor of Cybersecurity Forum 2020, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards.

It’s one of the most comprehensive and impactful moves by the DoD to better secure sensitive data that resides on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they’re responsible for, and how to implement those changes.

CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we’re able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.

We wanted to be the Title Sponsor of Cybersecurity Forum 2020 because it’s advancing important conversations around the state of security and where we can go from here. In particular, we are looking forward to keynote speakers Senator Marco Rubio, who will give an overview of the risks of national cyber breaches; and Katie Arrington, CISO for the Office of the Secretary of Defense for Acquisition and Sustainment, who will speak on what’s needed for CMMC compliance.

While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from other disaster responses and a new bar for effective cybersecurity. We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.

Recently, the National Institute of Standards and Technology (NIST) re-released the Draft Special Publication (SP) 800-171B as Draft SP 800-172. This document is in final draft review with all comments due August 21, 2020.

What is new in NIST 800-172?

The new NIST 800-172 is intended as a supplement to NIST 800-171, the cybersecurity framework required by DFARS 252.204-7012 on all DoD contracts to protect Controlled Unclassified Information (CUI). While NIST 800-171 provides the basic cybersecurity controls required to protect CUI on a majority of DoD programs and suppliers, NIST 800-172 defines enhanced cybersecurity controls intended to protect CUI subject to enhanced threats. In particular, NIST 800-172 aims to protect programs and contractors that might be the target of one or more Advanced Persistent Threats (APT). An APT is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. As such, it requires enhanced cybersecurity activities to prevent an APT from accessing a contractor’s network, or even identifying that an APT has already gained unauthorized access to a contractor’s systems or networks.

How will NIST SP 800-172 Affect My Contracts?

One question that comes up is, “How will NIST 800-172 affect my contracts?” Currently, the answer is that it does not directly. Unlike NIST 800-171, the required cybersecurity framework imposed on all DoD contracts that handle CUI through DFARS 252.204-7012, no DFARS clause requires NIST 800-172. Once NIST 800-172 has completed the NIST Draft comment phase and been formally released, an individual contract that is considered high risk from an APT may call out part or all of the NIST 800-172 cybersecurity controls as requirements, but this is likely to be very rare. The more likely scenario for these contracts will be adopting the Cybersecurity Maturity Model Certification (CMMC) framework at Maturity Levels 4 or 5. But even this is expected to be a rare situation. Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, estimates that .06% of all contractors will require CMMC Level 4 or 5 certification.

CMMC’s Incorporation of NIST 800-172

The CMMC framework was formally released in January 2020 and is currently positioned as a replacement for NIST 800-171. CMMC defines five (5) cybersecurity maturity levels. Maturity Level 3 corresponds roughly to NIST 800-171, incorporating all 110 security controls from NIST 800-171 plus 20 new controls drawn from other frameworks. CMMC Maturity Levels 4 and 5 provide 41 additional cybersecurity controls specifically targeted at contracts and contractors considered subject to an APT. CMMC Levels 4 and 5 include 15 of the NIST 800-172 (formerly NIST 800-171B) controls.

The DoD is working now to publish a new DFARS clause and contract language to allow DoD agencies to include the new CMMC framework in future requests for proposals (RFPs). Once this has completed the public comment and final release phases, the DoD plans to roll out the CMMC over the next five years, starting with approximately 15 “Pathfinder” programs in FY2021.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

Current Compliance Landscape

Deputy Defense Secretary Patrick Shanahan spoke at the Armed Forces Communications and Electronics Association (AFCEA) on Feb 6, 2018, and said, “The culture we need to get to [around IT security] is that we’re going to defend ourselves and that we want the bar to be so high that it becomes a condition of doing business.” Fast forward two years later and we are on the cusp of one of the largest changes to DoD acquisition ever with mandatory minimums for cybersecurity across all DoD contracts.

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but largely without any oversight from the DoD. Defense budgets and the use of contractors have grown in parallel to the storing of important, yet unclassified information on commercial defense contractor networks. This exposure, Controlled Unclassified Information (CUI) resident on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD.

The Defense Industry has always worried about security around products and services.  However, the business systems and IT infrastructure that supported those defense contractors were not monitored or significantly regulated by the US Government although vulnerable to attack.  The Pentagon has acknowledged an urgent need to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity.  Indeed, the requirements to protect data have been expanding for more than a decade and the Federal Acquisition Regulation (FAR) and the General Services Acquisition Regulation (GSAR) are expected to add data protection requirements in 2020.  In truth, the new Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain has been underway for many years now (see chart below).


Overview of CMMC

The Cybersecurity Maturity Model Certification (CMMC) program will serve as a method of verifying that appropriate levels of cybersecurity controls and processes meet a specific standard and are in place to protect controlled unclassified information that may be held on the DoD’s industry partners’ networks.

The CMMC program builds on another US government acquisition regulation called DFARS Clause 252.204-7012 which requires the implementation of NIST SP 800-171, Protecting Unclassified Information in Nonfederal Information Systems, and Organizations, as the standard for defense contractors handling CUI data.  As such, compliance with NIST 800-171 has been essential for winning and sustaining contracts since 2017 but the lack of oversight and auditing has led to many self-certified contractors that might not stand up to the scrutiny of a 3rd party audit. Because CMMC is at its foundation based on DFARS Clause 252.204-7012 and NIST SP 800-171 it’s important to understand these two separate but related requirements.

Understanding DFARS Clause


CMMC, when finalized and fully mature, will require independent validation of compliance by a CMMC Third-Party Assessor Organization (C3PAO). This is a significant change from DFARS Clause 252.204-7012 which allowed for self-certification and could upend a largely unprepared supply chain that has taken advantage of lax oversight and enforcement.

CMMC is broken down into five compliance levels which a company will need to be certified to be able to be awarded a DoD contract.  The levels break down (see below) into demonstrable levels of cybersecurity maturity from which a defense contractor can acquire more and more abilities to conduct services with the DoD.

CMMC Level Requirements

Your Current Managed Security Service Provider (MSSP) Probably Isn’t Doing Enough For CMMC

Most small business defense contractors do not separate IT from cybersecurity and often the IT work takes priority, not cybersecurity or compliance. Small businesses with one or two IT staff members who are already oversubscribed have no chance of ingesting CMMC and achieving compliance without the help of a Managed CMMC Service. Maintaining the security and compliance programs required by the government is now a full-time job and failure to do so will prevent your company from doing business with the DoD.  No matter how qualified or knowledgeable, a small team simply does not have time or the breadth of skills to architect, administer, and manage their environments in alignment with CMMC requirements. You cannot do it alone.

Over the last decade, many businesses have outsourced their security and/or compliance requirements through a Managed Security Service Provider (MSSP).  Effectively MSSPs take care of the security requirements and allow a business to focus on their core competencies. Few if any MSSPs have any real skin in the game when it comes to compliance. Read their statement of work and it is lightly mentioned if at all and there are caveats galore around why they are not responsible or accountable in any meaningful way. In many cases, MSSPs introduce their own set of issues, vulnerabilities, and compliance headaches because the MSSP is not properly equipped to manage data and processes in a manner aligned with CMMC requirements.  With the MSSP handling most every piece of security and monitoring but never documenting and attesting compliance with CMMC, the current MSSP model falls short of CMMC requirements.

Investing in CMMC compliance (which includes compliance with DFARS 7012 and NIST 800-171) is a big effort because it now includes line of business systems including finance, personnel, and IT vulnerability information.  While MSSPs are valuable partners who reduce overhead costs and enable businesses to stay focused on their core mission, it is important to remember that MSSPs will have access to documents, CUI, and data including passwords, access codes, and vulnerability information about their IT environment.  Because MSSPs have this kind of sensitive data in their possession, it is critical that they make the same investment in NIST 800-171 to ensure that you stay compliant and properly manage CUI information and the security of your IT environment. Again, most MSSPs have very little if anything in their statements of work regarding compliance so small businesses are left with a false sense of security around achieving CMMC compliance.

Without clear lines of responsibilities between the owner of compliance and the business and IT operations of the host company, the failure of a compliance audit is inevitable.

That is the bad news, now for the good news.

CyberSheath’s Managed CMMC Service

In response to the new federal requirements and an ever-changing landscape, CyberSheath has created a whole new set of Managed Services to allow for any business to achieve any CMMC compliance level they desire. Unlike every other MSSP in the market today our CMMC service offerings are an evolution of our successful legacy NIST 800-171 Managed Services. Said another way, we aren’t new to this space and we have been through dozens of successful third-party audits over the past five-plus years.

We offer 5 different levels of assured compliance for you to choose from based on your business requirements. To date, 100% of our customers are focused on CMMC Maturity Level (ML) 3 as it so closely aligns with the NIST 800-171 requirements.

First Step:

  • We meet your business where it is today. We will gain visibility of your desired CMMC ML and any gaps in processes, documentation, practices, or technology.
  • Gain current and ongoing visibility into NIST 800-171 / CMMC via professional certified assessments and remediation plans.

Second Step – Select Hosted Compliance Level(s):

  • Level 1: Become compliant with CMMC ML1 over your entire infrastructure within weeks.
  • Level 2: Work with a virtual security officer and get assistance with ongoing compliance program oversight and routine reporting.
  • Level 3: Quickly gain the ability to achieve compliance and bid on CMMC ML3 contracts with our cloud-based guaranteed compliance offering.
  • Level 4 or Level 5: Leverage our expertise as we maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards.
  • Beyond:
    • Future-proof your compliance to changes in CMMC policy or implementation approaches by assigning ongoing program maintenance to CyberSheath.
    • High Cloud infrastructure in a hosted compliant process.

Third Step:   We manage your compliance as an outsourced compliance program inclusive of an MSSP

CyberSheath’s CMMC Shared Security Model is the Answer to CMMC Compliance for Small Businesses

Whether it be a public, private, or hybrid architecture, businesses must take responsibility for ensuring that their data is secure. With limited resources and no time to become a CMMC expert, the solution to the problem is clearly a shared responsibility model. CyberSheath has successfully implemented and been audited against our shared responsibility model many times over the last five-plus years so our solution is tested and audit-ready. Our tailored responsibility matrix eliminates single points of failure and ensures that all required security requirements have an owner and produce the required documentation and evidence. The shared responsibility model reduces the day-to-day operational demands on your business and ensures documented, repeatable, and audit-ready compliance.

With government revenues on the line, it is crucial to determine who controls the various components of the CMMC compliant infrastructure and operations. CyberSheath defines where and how security measures should be applied, with a special focus on CUI and other sensitive government data.

CyberSheath differentiates itself by taking ownership of assured CMMC compliance and it is a contractual requirement that we put right into our statements of work. This cannot be done in isolation and requires shared and distinct responsibilities on both sides of the partnership which tend to be specific to each company.  CyberSheath offers a ‘single-pane-of-glass’ to gain visibility into CMMC compliance, continuous security monitoring, and various important datasets, analytics, and user interfaces in one place. Our CMMC management platform is built around Microsoft Azure’s FedRAMP GCC High environment which ensures infrastructure capabilities that can detect and remedy security misconfigurations, leveraging services to ensure near-real-time compliance features.

Why CyberSheath?

Cybersheath has leveraged and lived this Shared Responsibility Model for NIST 800-171 successfully for many years now, and expect that it will be a fundamental part of CMMC attestation and MSSP partnerships going forward.  The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC readiness gets – and stays – on track.

The US Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. While valuable, these vital partners in our nation’s defense infrastructure pose a huge cyber risk. Today that risk is largely unchecked and unregulated as contractors can “self-attest” to their ability to protect Controlled Unclassified Information (CUI).

Commercial companies are the lifeblood of any economy and the circulatory system of modern day societies.  They provide needed innovation, new discoveries, critical high-value support as well as materials and quick solutions to a myriad of problems. From the most arcane to the most mundane, the US Defense Department has needs in nearly every aspect of procuring commercial services, but this lifeblood paradoxically may imperil the entire system by leveraging companies with little respect for cybersecurity controls. In fact, in this connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it is astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches (according to Stars & Stripes).

And experts feel this is just the tip of the iceberg – the vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity. Essentially that is the goal behind the Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain. The CMMC effort is not without its critics but who can argue that real change wasn’t urgently needed?  Learn More about CMMC

Let us review some major breaches of national security that hopefully can be prevented in a post CMMC world so that you might be the judge:

Example One – Jan-Feb, 2018:  Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor

Citing unnamed U.S. officials, the Washington Post reported in June of 2018 about a very disturbing cyberattack of a US DoD contractor.  Evidently Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines.

The breaches took place in January and February, the officials told the Post, speaking on condition of anonymity about an ongoing investigation led by the Navy and assisted by the Federal Bureau of Investigation.

The U.S. Navy and an unnamed defense contractor are/were working on a new missile which the Navy says will give its submarines a new, “disruptive offensive capability” to take on enemy ships. The previously unknown weapon, known as Sea Dragon, supposedly combines an existing U.S. Navy platform with an existing capability, is likely a new version of a versatile air defense missile capable of pinch-hitting as an anti-ship missile.

Example Two – March 2019:  US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers

An internal U.S. Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage, The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.”

Three particularly worrisome recent incidents (2018-2020) were the theft by China of highly sensitive information on naval projects left on an unclassified network (2019), last year’s breach of private information on 30,000 Pentagon employees(2018), and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton (2018), the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”

Example Three – Sept-Dec 2019:  Compromise of Emails and LinkedIn Accounts of military defense companies

In a report released in June 2020 by Slovakia-headquartered ESET cybersecurity company who said the cyberattacks of mainly European aerospace and military defense firms were launched between September and December 2019. A collaborative investigation with two of the affected European companies allowed them to gain insight into the operation and uncover previously undocumented malware.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation, and impersonating legitimate software and companies.

According to their investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representative of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.


With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question.

Example Four – 2017-2020:  The Chinese APT Threat to Cleared Defense Contractors

In a report published in June of 2020, cyber-security firm Lookout said it found evidence connecting Android malware (APT 15) that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.

Lookout’s 52-page report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree.

The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions but also living abroad in at least 14 other countries.

“Activity of these surveillance campaigns has been observed as far back as 2013,” Lookout researchers said. The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.

The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.

This includes:

APT3 – linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong

APT10 – linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin

NEW!  APT 10 – Xi’an Tianhe Defense Technology, a large defense contractor in the city of Xi’an, in central China.

APT17 – linked to several companies operating on behalf of Chinese state security officials in the province of Jinan

APT40 – linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan

Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in November 2017 and December 2018, respectively.

Based on previous threat intelligence reports published by cyber-security firms Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly to, and take orders from intelligence officials.

In an FBI warning in 2018,, specifically cites examples against “Cleared Defense Contractors” and here is an excerpt of the alert:

“APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.

FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.

Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.”

Example Five – Feb-June 2020:  DCSA Bulletin – US Defense Focused

In a report published recently by politico, they suggest they obtained a Defense Counterintelligence and Security Agency (DCSA) bulletin marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology.   Moreover, the bulletin goes on to say, “Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1”, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency.

The so-called Electric Panda group is not new and appears to have been operating since at least 2016, according to one of the indicators listed by DCSA. The bulletin goes on to say that this group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems.

Conclusions: How to Solve the Problem?

Given this, how safe is the US DoD Supply chain from cyberattacks?  From casual, publicly available information, there is strong evidence that the supply chain base of the US DoD system is under dedicated and constant attack, most probably needs dramatic investments in order to stay safe and sound from cyberattacks and to keep the US military safe.

The key to understanding the solution is to understand that the threat is immeasurably more serious as we must concern ourselves with the great possibility of a loss of life scenarios.

Let us hope that the new CMMC regulation is a very important step in accelerating the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cybersecurity risk and mitigation strategy for each attribute of DoD Supply chain may be placed in harm’s way.

Next Steps

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC


According to a Department of Defense (DoD) official as confirmed to Inside Cybersecurity, DoD is planning to publish the proposed acquisition rule required for the implementation of the Cybersecurity Maturity Model Certification (CMMC) program in the next few weeks.

The proposed rule change, titled “Strategic Assessment and Cybersecurity Certification Requirements” under Defense Federal Acquisition Regulation Supplement (DFARS), is required for the Pentagon to award contracts containing CMMC language. Final timing is a decision for the White House Office of Management and Budget’s Office of Information and Regulatory Affairs, but the proposed timing aligns with the tremendous push forward for CMMC across the DoD.

This news should continue to melt away any doubts that the train has left the station and getting compliant with DFARS 252.204-7012 and NIST 800-171 for current contracts and planning for CMMC implementation for future contracts is a major priority for all DoD suppliers.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.


Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and Cybersecurity Maturity Model Certification (CMMC) is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. Discover what outcome-based Managed Services look like from start to finish, including a successful DoD audit, with a New England based defense contractor.

The contractor recognized the need for compliance with DFARS 252.204-7012, NIST 800-171, and eventually CMMC.  With processes largely informal and undocumented, insufficient staffing, and key technologies not deployed, partnership with a Managed Services provider who truly understood the requirements of a DoD contractor was the only way forward.

Our MSSP team quickly propelled the organization to 90% compliance with the DFARS controls, and with POA&Ms in place to close the remaining gaps. The CyberSheath team’s work resulted in a satisfactory DoD assessment and specific recognition by the DoD officials of the unique role that CyberSheath played as a managed services partner, enabling compliance.

Learn more about this real-world client success story at our webinar on July 8

Gain insight from behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and low-risk rating by the DoD.

Sign up today


DFARS Compliance with CyberSheath

As a defense contractor, it is imperative to your organization’s survival that you stay competitive in the Department of Defense (DoD) acquisition process and implements the required security requirements including DFARS Clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1.  And soon, the Cybersecurity Maturity Model Certification (CMMC).

CMMC requires mandated minimum levels of cybersecurity, validated by a third party, for 100% of DoD contracts.

How do you ensure that you achieve compliance while thriving at your core competency and growing your business – and how do you right-size the security requirements? Internal IT and security staff are already stretched thin and have no time to learn the complexities of DFARS, NIST, and CMMC. So how can you possibly be successful with so many things working against you?

Leverage CyberSheath Managed Security Services for DFARS compliance.

How CyberSheath Managed Services Enable Compliance

Working with CyberSheath will have a profound impact on your business. With clear direction and measurable outcomes to support DFARS, NIST, and CMMC requirements, your company can confidently move forward and:

  • Pass your DoD customer assessment.
  • Achieve a low cybersecurity risk rating by a DoD third-party assessor.
  • Stay compliant as risks and requirements evolve.

CyberSheath Managed Security Services include:

  • Assessment – By providing documented, actionable annual compliance assessments against all necessary security requirements, you will know where to focus efforts to improve your security posture. To help you address vulnerabilities, CyberSheath tailors a master System Security Plan (SSP) specific to your environment.
  • Remediation – Specific remediation tasks are aligned with Plan of Actions and Milestones (POA&Ms) and often include creating cyber incident response processes, vulnerability management programs, launching multi-actor authentication (MFA), and implementing mobile device management (MDM).
  • Compliance – CyberSheath documents, automates, and assess compliance that can be easily validated during a third-party audit. Implementing the NIST/DFARS and CMMC requirements across your infrastructure, formalizing security policies and procedures, and making key processes repeatable. The end result is a centralized 24x7x365 Security Operations Center (SOC) capabilities and continuous evidence of regulatory compliance.

Why CyberSheath DFARS Managed Services?

CyberSheath delivers turnkey compliance from assessment through your mandatory third-party audit. We also take accountability for compliance every step of the way and cut through the confusion of NIST 800-171 and CMMC to ensure measurable, ongoing compliance.

You need an MSSP that has seen it all. When you are vetting providers, be sure you partner with a skilled, knowledgeable security expert with years of experience helping organizations and securing infrastructures like your own. Look for a company with extensive DoD experience and with professionals who have seen every iteration of DFARS from voluntary to the current mandatory state.


Learn how CyberSheath’s partnership as a Managed Service led to a successful DoD audit at our webinar on July 8

Get details on how to become compliant and go beyond templates and policy documents to get a glimpse of what total success and compliance looks like as measured by a successful customer audit.

Sign up today


The theft of intellectual property and sensitive information across the Defense Industrial Base (DIB) and the supply chain of the Department of Defense (DoD) threatens economic security and national security. Malicious cyber actors have persistently targeted the DIB sector and the DoD supply chain resulting in loss of intellectual property and unclassified information, which threatens U.S. technical advantages and significantly increase risks to national security.

The DoD is taking action to combat these threats. CMMC maturity levels will soon be used to determine whether a company will or will not be awarded a contract. To state that a different way: There are new regulatory cybersecurity minimums that must be validated by an independent third party prior to contract award on Defense Contractor networks.

What is CMMC?

CMMC encompasses multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The evolving certification is focused on the protection of unclassified information across the supply chain categorized as:

  • Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract and not intended for public release.
  • Controlled Unclassified Information (CUI): CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954 as amended.

The CMMC model consists of five maturity levels and 171 cybersecurity practices mapped across these maturity levels. This structure helps to institutionalize cybersecurity activities, ensuring that they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at Level 1, moving to the broad protection of Controlled Unclassified Information (CUI) at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APTs) at Levels 4 and 5.


DoD CMMC 1-5 Maturity Levels


The CMMC framework is coupled with a certification program to verify the implementation of these important cybersecurity processes and practices.

Is CMMC different from DFARS Clause 252.204-7012 and NIST 800-171?

Yes. While the requirement for DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting has been mandatory for several years, enforcement has been inconsistent and self-certification has been allowed, until now. CMMC changes that. Defense Contractors must now implement mandatory minimum levels of cybersecurity prior to contract award. They must also have their implementation of cybersecurity controls validated by a third party. Self-certification is no longer allowable.

The majority of CMMC practices (110 of 171) originate from the safeguarding and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012. It is expected that the vast majority of defense contractors will need to be certified at CMMC Maturity Level 1 or 3.

  • Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
  • Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST 800-171 plus other practices.

While the actual CMMC certification process is still a work in progress, defense contractors that implement the 110 security requirements of NIST 800-171 will have a head start towards achieving compliance with the new certification once it takes effect. In fact, CMMC Maturity Level 3 includes all 110 NIST 800-171 security requirements, making 85% of Maturity Level 3 compliance based on NIST 800-171 compliance.

The DoD is building on and strengthening, not abandoning, NIST 800-171. While specific maturity levels for individual contracts have not yet been determined, it is understood that implementing NIST 800-171 security requirements is the best way to prepare for CMMC. Get to work implementing NIST 800-171 to put yourself in a position to succeed.

How will CMMC affect the Acquisition Process?

CMMC will have a dramatic impact. Self-certification is being replaced with third party validation prior to the contract award. Checkbox compliance with nothing more than the documentation of a System Security Plan (SSP) and Plans of Action & Milestones (POA&Ms) is no longer sufficient. Doing business with the DoD now means a commitment to cybersecurity that is based on trust but verify DoD process for all 300,000 plus DoD suppliers.

How can I get ready for CMMC?

Given that the DoD has made NIST 800-171 the foundation for certification, preparing for CMMC is a relatively straightforward process. While not easy or free, it is uncomplicated to determine the steps necessary, timing, and priority. Here are measures to take to get started.

  • Step 1. Assess your current operations for compliance with NIST 800-171.
  • Step 2. Document your System Security Plan (SSP).
  • Step 3. Document your Plan of Actions & Milestones (POAMs).
  • Step 4. Implement the required controls.
  • Step 5. Maintain compliance.

For an easy-to-follow guide on how and in what order you should start getting ready for your mandatory third party CMMC audit, download our guide.

Why CyberSheath

There is no better company to help you in doing the actual work required to achieve CMMC compliance. CyberSheath has been working with the DoD and its suppliers for nearly a decade as CMMC has evolved from voluntary to self-certification, and now mandatory third party certification. Our CEO is a former Chief Information Security Officer for one of the largest defense companies in the world, and our employees are all practitioners, not consultants. What is the difference? Consultants just tell you what to do in presentation slides; we know what action to take and we do it.

We are in unprecedented times. As we all work to maintain as much normalcy in our personal and professional lives as possible, important projects such as those involving your organization’s cybersecurity might not be top of mind.

You’ve worked hard to secure your company’s valuable information technology resources to guard it against all sorts of cyberattacks. Neglecting IT security now would be a misstep. Here’s why.

Three Reasons Quarantine Shouldn’t Stall Your Cybersecurity Plans

1 – CMMC is moving forward in spite of the current crisis.

In an interview with Government Matters on March 29, Katie Arrington, the chief information security officer in the Office of the Undersecretary for Acquisition and Sustainment, announced the DoD is still moving forward with the newly launched Cybersecurity Maturity Model Certification (CMMC), even with the current challenges companies are facing due to COVID-19.

2 – Protecting controlled unclassified information (CUI) remains important.

It’s worth considering if the scope of your CUI environment has changed now that many or all of your employees are working from home. With that in mind as well as an increase in cyberattacks, including phishing and hacking, it’s possible that your dispersed and remote workforce could be more at risk – potentially exposing your company to nefarious threats.  And, unchanged is the regulatory requirement of protecting CUI under NIST 800-171. Now is not the time to be lax on IT security.

3 – Assessments can be done remotely.

While the present environment might alter some aspects of your approach, it shouldn’t change your CMMC timeline. With all of your organization’s digital capabilities – which undoubtedly have been tested and broadened in recent weeks – collaborating with a skilled provider on your CMMC assessment makes sense.

A skilled partner like CyberSheath will be able to work with you remotely to assess your current IT infrastructure and security posture, helping to get you ready for CMMC. The assessment is the first step to understand the gaps your organization is facing to meet CMMC requirements. To prepare you for the assessment process, to know what to expect, and what is needed to manage a successful engagement, we interviewed a cybersecurity practitioner to share from his years of experience, access the interview now.

As we look to the coming months and plan for an uncertain future, one thing that remains constant is the need to develop, execute, and maintain a robust cybersecurity plan. Delaying your efforts to comply with CMMC could impact your business – and making your IT security a priority is always a good idea – especially now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC assessment gets – and stays – on track.

Technology photo created by freepik –

It has finally arrived, the Cybersecurity Maturity Model Certification (CMMC) version (v) 1.0. CMMC v1.0 changes the DoD acquisition process with certification becoming a pre-RFP requirement to bid a government contract.  Like you, CyberSheath has been aggressively following the CMMC’s progression to this final version which included 3 previous drafts 0.4, 0.6 and 0.7. Overall not much has changed from draft 0.7; however, version 1.0 does have some noteworthy updates.


Overview of CMMC Levels 1-5 per the DoD’s released CMMC v1.0 pdf

Level 1 focuses on the protection of Federal Contract Information (FCI) and the practices under the basic safeguarding requirements detailed in 48 CFR 52.204-21.  Level 1 is the only level where processes will not be assessed.

Level 2 is the step between Levels 1 and 3 and as such begins to include a portion of NIST 800-171 controls, in addition to other frameworks. The subset of frameworks introduced at Level 2 also starts to refer to Controlled Unclassified Information (CUI).  Unlike Level 1, documentation of processes and policies is a requirement in Level 2.

Level 3 requires the implementation of all 110 NIST 800-171 controls. There is also 20 new CMMC practices introduced at Level 3.  In addition to documenting processes, “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.”

Level 4 concentrates on the “protection of CUI from APTs and encompasses a subset” of practices from the NIST 800-171B draft combined with other cybersecurity models.  Level 4 requires documenting, managing in addition to reviewing processes as well as improving as necessary.

Level 5, like Level 4, Level 5 concentrates on the “protection of CUI from APTs.”  Level 5 requires the continuous optimization of documentation and processes across the organization.


Key Differences between NIST 800-171 and CMMC v1.0

CMMC includes security practices in new Domains including Asset Management, Recovery, and Situation Awareness.

Level 2 requires increased standards for Incident Response

Level 2 requires an organization to review logs

Level 3 requires increased standards for Risk Management

Level 3 requires organizations to collect audit logs in one or more central repositories

Level 3 includes new requirements to protect email services

Level 3 includes new requirements to filter access to potentially malicious internet sites (DNS filtering)

Level 3 builds on Levels 1 and 2, requiring 100% compliance with NIST 800-171 plus 20 new CMMC practices (1 less than the previous draft version)


Key Differences between CMMC draft v0.7 and CMMC v1.0

Level 4 SOC is now 24/7 instead of “normal business hours”

Levels 3, 4 + 5 the new practice (P1035) requiring organizations to, “Identify, categorize, and label all CUI data” has been removed from all Levels that originally required it in draft versions. However, the original control to mark media is still there, so if you print or put media on a thumb drive, you need to mark it. But identifying and labeling CUI content is not explicitly stated as it was in all previous drafts.


If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

You have completed your NIST 800-171 security controls assessment to see how your company is doing in meeting the requirements of the standard. The evaluation revealed some gaps within your organization’s implementation of the solutions, tools, and processes you have launched. Unsurprisingly, these gaps typically occur in those controls most difficult to rollout. These challenges include those relating to:

Technology – Issues may include trouble identifying the right solution to address problems and the cost to acquire and implement the tools.

Process – There are often organizational matters to navigate as the company deals with changing the way it has always done things. This can extend to the need to adjust attitudes and upgrade the skillsets of members of the IT team as well as executive staff.

People – Impacting how employees perform their day-to-day work can make your whole organization run less smoothly.


Based on our work performing hundreds of assessments each year, we have identified consistent implementation gaps regarding the following controls:


5 – Training and Awareness, Control 3.2.1

  • Control requirements: This control mandates on-boarding and periodic refresher training of all users with access to sensitive information, as well as specific training for security-related roles.
  • Implementation challenges: Training and awareness impacts everyone and is one of the most effective ways to improve your security. Some employees consider it boring or not directly related or important to their work. The size of your workforce and the technical background of employees will have a direct impact on your implementation. While not the most difficult control to put into action, it can provide the most improvement to your security.
  • 51% of our assessed clients had issues with this control.


4 – FIPS-validated Cryptography, Control 3.13.11

  • Control requirements: Using FIPS-validated cryptography is compulsory to protect Controlled Unclassified Information (CUI). This includes deploying it on mobile platforms, including cell phones, tablets, and laptop drives, as well as on removable media and during transmission over unprotected communication channels.
  • Implementation challenges: This technology is complex and integrating it with the rest of your systems can be onerous. The size of your workforce and complexity of your environment also affects your implementation. Conducting the due diligence necessary to determine that all the encryption tools you employ to protect CUI can be challenging. Some of our customers understand that the encryption algorithms employed by their tools are FIPS-validated but are not aware that FIPS-validated cryptography includes other parameters, such as key generation, protection, and management.
  • 52% of our assessed clients had issues with this control.


3 – Incident Response, (Controls Class) 3.6.X

  • Control requirements: This control mandates that you establish an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response, as well as the ability to track, document, and report incidents.
  • Implementation challenges: There is a tendency to be reactive rather than proactive, as often people do not like to think about things going wrong, and employees are often not eager to report to management or customers about negative events. Again, the complexity of your environment and size and training of your IT workforce impacts the implementation. Also, effective Incident Response processes go beyond IT and Security, requiring coordination with other organizations such as HR, Legal Consul, Communications, and the Executive Leadership Team.
  • 64% of our assessed clients had issues with this control.


2 – Multi-factor Authentication, Control 3.5.3

  • Control requirements: To comply, it is necessary to use multi-factor authentication (MFA) for network and remote access by all users, and in addition, privileged users require MFA for all local access. Authentication factors include “something you know”, such as a password; “something you have”, such as a token or cell phone; and “something you are”, such as a fingerprint. To meet this control, your organization must use two (or more) different factors. For example, using two passwords is not MFA. Using a password and your fingerprint is MFA.
  • Implementation challenges: This control is potentially expensive as it necessitates a new process and affects your service desk, every piece of hardware, and your people, as logging in is different. Implementation is impacted by your current systems and processes, the size of your environment, and the diversity of your platforms.
  • 73% of our assessed clients had issues with this control.


1 – Documentation for all Controls

  • Control requirements: NIST SP 800-171 r1 “expects” that nonfederal organizations will have policy, process, and plan documentation covering all the security domains as part of their comprehensive security program.
  • Implementation challenges: Most companies don’t have policy, process, or plans to measure if they are doing the right thing and doing it consistently – and this will be even more important with the introduction of Cybersecurity Maturity Model Certification (CMMC). Also, technical people typically enjoy doing technical work, such as design, implementation, and support and are not as motivated to complete the required paperwork. Implementation of a comprehensive documentation system hinges on your resources and what your company already has in place and on-file.
  • Approaching 100% of our assessed clients had issues with this control.


If you need expert help complying with these challenging requirements or any others, you can rely on CyberSheath. Contact us to see how we can help your organization move forward.  We also invite you to join Eric Noonan, CyberSheath CEO, at our upcoming webinar on February 26th, 2020 at 9:00 am (PST) | 12:00 pm (EST) to learn how these difficult NIST 800-171 controls could affect your CMMC efforts.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC


Webinar Leveraging NIST 800-171 to Achieve CMMC Registration Link

There is a lot your organization is already doing that you can apply to your preparation for the impending launch of CMMC (Cybersecurity Maturity Model Certification). One important and useful component to consider is a Plan of Action and Milestones  (POA&M or POAM).

Required to achieve compliance with NIST 800-171, a POAM is an extremely useful tool in helping your organization plan for a multitude of security projects, including compliance with standards like CMMC.

How a POAM Helps Realize Project Goals

Providing a structured approach for how to approach any security issue, a POAM delivers many benefits. It:

  • Outlines activities necessary to mitigate security issues.
  • Helps identify the security issue you are having or might have, and the underlying gap in your systems or processes.
  • Assigns resources needed to mitigate issues.
  • Holds your organization accountable with projected completion of milestone activities.
  • Calls out how vulnerabilities were identified.
  • Denotes risk level, labels status, and captures the estimated cost to remediate.

It’s a good idea to be well-versed and able to use a POAM now. Once you factor in the added benefit of helping your organization get ready for proceeding with CMMC compliance, using a POAM just makes sense.

POAM and CMMC Compliance

Preparation  As you ready your organization for tackling CMMC compliance, a POAM will matter more than ever. The plan can be used as a guide to understand what is required of your organization to receive the CMMC level certification your organization needs to bid on a government contract. It will actively manage and guide your project by highlighting the timeframe and resources required to achieve a CMMC level of certification by a specific date.

Maintenance – In the constantly evolving threat and technology landscapes, the tool can also assist in maintaining your certified level. A change to the threat environment could make a security practice no longer, or less, effective. A POAM could be used to reestablish compliance with the security practice if the new threat creates a gap.

Changes to your infrastructure may also create practice or process gaps that require a POAM to remediate. For example, if you are Maturity Level 3 certified at contract bid, which requires you have resources to collect and review your audit logs, and your organization doubles in size during the contract, you could potentially need a POAM to address the resources needed to collect and review audit logs which have now doubled in volume.

Advancement – After you have achieved initial CMMC compliance, a POAM can continue to add value, assisting your organization in leveling up and reaching a new degree of certification (i.e. advancing from CMMC Level 2 to CMMC Level 3). A POAM again becomes a driving force to manage your time around a project completion date as well as the resources required to successfully reach the determined milestones.

Executive Buy-In – As you look for budget and resource approvals to tackle CMMC compliance, a POAM can be a helpful tool in communicating with and getting buy-in from senior management.

Start familiarizing yourself with this valuable tool now by downloading our sample POAM template below.

CMMC Update – Draft Version 0.6

CMMC is being further refined and another update to the standard was recently released (Version 0.7). Draft Version 0.6 includes notable updates such as:
  • Changed from 18 to 17 Domains with the elimination of the Governance domain.
  • Focused more of the Practices on NIST 800-171 Controls.
  • Identified 21 Practices through Practice Level 3 which are not attributed to NIST 800-171 R1. That is, to achieve Practice Level 3, you need to be fully compliant with NIST 800-171 R1 and implement the 21 new CMMC practices.
  • Started referencing international frameworks including those from Australia and the UK.
  • Removed the “redundant” Practices. For example, in Draft Version 0.4 of the standard, Level 1 might have a Practice that is implemented “at least in an ad hoc fashion” and the same control is fully applied in Level 2. These “ad hoc” practices were removed from Level 1.

If you have any questions or would like support as you ready your organization for CMMC, contact us.


POAM Template Download

As you are probably aware, there is a new mandatory certification model that will be required to do business with the Department of Defense (DoD). The CMMC (Cybersecurity Maturity Model Certification) builds on best practices established in NIST 800-171 (DFARS), NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, to create one unified standard for cybersecurity.

CMMC will be a dynamic standard, growing and evolving with the demands of the ever-changing cybersecurity landscape. While the structure of CMMC is set, the details of the new standard are still being vetted, refined, and finalized. The target for launch is early 2020.

How CMMC Compares to NIST 800-171


The purpose of both standards is to ensure that DoD contractors employ healthy cybersecurity practices to protect sensitive information. There are several facets of security posture that must be met in order to be in compliance with both standards. Both also require demonstrated compliance to do business with DoD, via self-certification for DFARS and via an audit by certifying organization for CMMC.


One important distinction touched on above is that CMMC will not allow self-certification. Compliance with the standard will be verified by an outside third-party hired by your company to determine your compliance with the requirements.

The CMMC control framework is (currently) much larger than the 14 control families and 110 controls outlined in NIST 800-171. As of October 31, 2019, CMMC contains 18 domains, 241 practices, and 90 processes at Maturity Level 3.

CMMC Components

The elements of CMMC include:

  • Maturity Levels – These levels range from basic security controls required for level 1 through highly advanced requirements for level 5.
  • Domains – Based on cybersecurity best practices, these are key sets of capabilities for cybersecurity, such as Access Control, Incident Response, Security Assessment, and more.
  • Capabilities – These achievements are the building blocks of each domain, ensuring cybersecurity within each domain.
  • Practices – These are individual cybersecurity activities related to NIST “controls”. They range from Level 1 practices including anti-virus and ad hoc cybersecurity governance to Level 5 practices such as real-time asset tracking and device authentication.
  • Processes – These are documented standards for implementing practices based on the maturity level of your organization.

Below is an example of a cross-reference matrix between NIST and CMMC draft 0.4. It shows some interesting characteristics, such as:

– One NIST Family mapping to multiple CMMC Domains
– One NIST control mapping to multiple CMMC Levels
– One NIST control mapping to multiple CMMC Capabilities
– One NIST control mapping to multiple CMMC Practices
– New CMMC practices not found in the NIST controls

Note, as with most mappings of this kind, they are not always clean, with some aspects of a Control in one framework mapping to elements of a Practice in a different framework.

What You Can Do Now

CMMC specifically calls out the requirement for documentation for all domains in order to achieve compliance. Note that this condition was never explicitly requested in NIST 800-171; rather it is noted in the DFARS appendix that it was assumed you had the appropriate documentation.

While CMMC is continuing to evolve, you can ready your organization to meet the requirements of the new standard. Achieving CMMC compliance will not be a quick endeavor as you will need to define and record your real working processes.

Start now by cataloging your processes and building out the documentation that is called out in NIST as this will surely aid your CMMC compliance activities.

CMMC Maturity Levels 2, 3, 4, and 5 will require Policy, Process, and Plan documents. According to NIST, here are the plans you should have in place:

  • Business Continuity Plans
  • Contingency Plans
  • Continuity of Operations Plans
  • Critical Infrastructure Plans
  • Crisis Communications Plan
  • Disaster Recovery Plans
  • Incident Response Plan
  • Incident Response Testing Plan
  • Occupant Emergency Plan
  • Physical/Environmental Protection Plan
  • Plan of Action
  • Security Assessment Plan
  • Security Plan
  • System Security Plan

And here are the policies and procedure you should have as well:

  • Access Control
  • Audit and Accountability
  • Configuration Management
  • Configuration Planning
  • Incident Response
  • Identification and Authentication
  • Information Flow Control
  • Information Flow Enforcement
  • Information System Maintenance
  • Media Protection
  • Media Sanitation and Disposal
  • Mobile Code Implementation
  • Password
  • Personnel Security
  • Physical and Environmental Protection
  • Portable Media
  • Risk Assessment
  • Security Assessment and Authorization
  • Security Awareness and Training
  • Security Planning
  • Separation of Duties
  • System and Information Integrity
  • System and Services Acquisition
  • System and Communication Protection
  • System Use

Prepare yourself by understanding the latest CMMC updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.  No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar. If you have any questions or would like support as you ready your organization for CMMC, contact us.


Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft