There is a lot your organization is already doing that you can apply to your preparation for the impending launch of CMMC (Cybersecurity Maturity Model Certification). One important and useful component to consider is a Plan of Action and Milestones (POA&M or […]
How a Plan of Actions and Milestones Fits Into CMMC Read More »
As you are probably aware, there is a new mandatory certification model that will be required to do business with the Department of Defense (DOD). The CMMC (Cybersecurity Maturity Model Certification) builds on best practices established in NIST 800-171 (DFARS),
CMMC Update – How to Start Preparing Your Company for Compliance Read More »
Your assessment is behind you. You have been working to create a System Security Plan (SSP) detailing a Plan of Action & Milestones (POA&Ms) based on your assessment findings. Your goal, to remediate gaps discovered to ensure NIST 800-171 compliance
Three Things to Consider Before Starting Your NIST 800-171 Implementation Read More »
Cybersecurity requirements for Department of Defense (DOD) contractors continue to evolve. However, NIST 800-171 compliance is as much required by law today as it was on the December 2017 deadline. In fact, with the introduction of the Cybersecurity Maturity Model
Webinar: Understanding DOD CMMC and NIST 800-171 Revisions Read More »
Have contractors implemented the NIST 800-171 controls? DOD Inspector General (IG) audit suggests not, recommends third-party audits. Are you ready?
A recent audit conducted in response to a request from the Secretary of Defense determined that DOD contractors did not consistently implement DOD‑mandated system security controls for safeguarding Defense information. Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires contractors that maintain Controlled Unclassified Information (CUI) to implement security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which lists security requirements for safeguarding sensitive information on non-Federal information systems. The requirements include controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.
Recent DOD Audit on Controlled Unclassified Information Finds Contractors Not Secure Read More »
NIST 800-171 Revision 2 and 800-171B drafts were released for comment last week, and as expected there have been no major changes proposed to the controls in NIST 800-171 Revision 2. For DOD contractors waiting to implement the required security requirements of NIST 800-171 Revision 1 pending the latest updates, the proposed updates won’t buy you any time. The fact is enforcement is underway and compliance with DOD cybersecurity requirements is a go/no go decision if you are serious about being eligible to do business with the DOD.
The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DOD contractors scrambling to anticipate how to prepare. While there are many unknowns regarding what the CMMC will ultimately look like, DOD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.
The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DOD supply chain, continues to get smaller as the ability to self-certify is set to expire.
CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DOD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.
With the Department of Defense (DOD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.
What is DFARS 252.204-7012 and NIST SP 800-171? Read More »
Adopt the RMF to cope with growing risk and comply with strict legislation— think defense (DFARS), healthcare (HIPAA), and retail/payment (PCI).
Understanding the NIST Risk Management Framework (RMF) Read More »
