What to Do if Your Prime is Asking You Demonstrate Compliance with DFARS 252.204-7012 and NIST 800-171?

By Eric Noonan • October 26, 2020

Lockheed Martin and other prime contractors are contacting their suppliers and requesting a security status update; in many cases requesting a demonstration of compliance before the DoD November 30th deadline.  If you’ve received this request, you’re not alone. We’re helping many of our clients demonstrate that they’re achieving the requirements and submit the requested documentation before the deadline set by primes.

When the new DFARS Interim Rule and Cybersecurity Maturity Model Certification (CMMC) requirements were released at the end of September, we knew it would start to trickle down the supply chain. The primes heard the message loud and clear, and now suppliers do too. Lockheed Martin, for example, is requiring suppliers to complete a survey by November 5th so it can assess risk before the new rules take effect on November 30.

What is Required of Suppliers?

Suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POA&M) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POA&M items, and the expected closure date for the additional controls.”

The primes are hard at work getting a sense of where their supply chain stands before the interim rule takes effect and the CMMC requirements start showing up in RFIs, RFPs, and contracts.

Where Should You Go from Here?

Start with this overview of the DFARS interim rule, an FAQ on everything we do, and don’t know at this point, and steps you should take immediately to meet the requirements. We’re here to help and explain the rules in plain English. Don’t hesitate to reach out with any questions or to talk through a project plan or schedule for responding to these requests by the deadline.

Join Us at CMMC Con 2020.  A Virtual Event Designed to Support Stakeholders in the DIB.

If you are a prime or subcontractor looking to better understand how to navigate the rapidly shifting future of cybersecurity compliance – CMMC Con 2020 is the event for you. Join us on November 18th for this one-day event where you will hear an expert line-up engage in conversations focused on DFARS compliance, the threat from China, and a “how-to” session for small & medium-sized businesses struggling with NIST 800-171 and CMMC.

Register Now

 

 

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO