What to Do if Your Prime is Asking You Demonstrate Compliance with DFARS 252.204-7012 and NIST 800-171?

By Eric Noonan • October 26, 2020

Lockheed Martin and other prime contractors are contacting their suppliers and requesting a security status update; in many cases requesting a demonstration of compliance before the DoD November 30th deadline.  If you’ve received this request, you’re not alone. We’re helping many of our clients demonstrate that they’re achieving the requirements and submit the requested documentation before the deadline set by primes.

When the new DFARS Interim Rule and Cybersecurity Maturity Model Certification (CMMC) requirements were released at the end of September, we knew it would start to trickle down the supply chain. The primes heard the message loud and clear, and now suppliers do too. Lockheed Martin, for example, is requiring suppliers to complete a survey by November 5th so it can assess risk before the new rules take effect on November 30.

What is Required of Suppliers?

Suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POA&M) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POA&M items, and the expected closure date for the additional controls.”

The primes are hard at work getting a sense of where their supply chain stands before the interim rule takes effect and the CMMC requirements start showing up in RFIs, RFPs, and contracts.

Where Should You Go from Here?

Start with this overview of the DFARS interim rule, an FAQ on everything we do, and don’t know at this point, and steps you should take immediately to meet the requirements. We’re here to help and explain the rules in plain English. Don’t hesitate to reach out with any questions or to talk through a project plan or schedule for responding to these requests by the deadline.

Join Us at CMMC Con 2020.  A Virtual Event Designed to Support Stakeholders in the DIB.

If you are a prime or subcontractor looking to better understand how to navigate the rapidly shifting future of cybersecurity compliance – CMMC Con 2020 is the event for you. Join us on November 18th for this one-day event where you will hear an expert line-up engage in conversations focused on DFARS compliance, the threat from China, and a “how-to” session for small & medium-sized businesses struggling with NIST 800-171 and CMMC.

Register Now

 

 

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft