This post is targeted more for those that operate in the Defense Industrial Base (DIB). According to the United States’ own Cybersecurity and Infrastructure Security Agency (CISA), the DIB is “the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and component parts, to meet U.S. military requirements.” Naturally, that is a mouthful. What would you expect from a government website? That being said, the goal of this, and future writings is to provide organizations that fit the DIB definition above a resource by which to gain situational awareness about their role in the DIB, the current and upcoming defense contracting requirements, and how cybersecurity is intertwined through it all.

 

This is the first of a series of informative posts about the DIB and cybersecurity. To get started, unfortunately we will need to cover some unpleasant government contracting legalese. Hold tight and grab a cup of coffee. There are two main documents that control contracting with the U.S. Government and subsequently the Department of Defense (DoD). First, there is the Federal Acquisition Regulation (FAR), which is a set of regulations that governs all acquisitions and contracting procedures associated with the Federal Government. Second, there is the Defense Federal Acquisition Regulation Supplement (DFARS), which is an extension of the FAR, but specifically for the DoD. You can think of these as standard contract language that will most likely be found in your contract (prime or sub) when providing products or services as part of the DIB. Both of these are wholly contained in the Code of Federal Regulations (CFR), which is the centrally located set of regulations for the entire government. Title 48 of the CFR is the Federal Acquisition Regulation (FAR) mentioned above. At this point, I am sure you are wondering how this links to the NIST SP 800-171. Here is the payoff: Section 252.204-7012 (often referred to just as 7012) is the part of the FAR that requires government contractors to adhere to NIST SP 800-171. We could go into the history, but to keep things simple we will jump ahead to November 30, 2020, where the DoD created what is popularly known as The Interim Rule. The Interim Rule did two things: 1) It required all contractors (prime and sub) to perform a basic cybersecurity self-assessment using NIST SP 800-171 and report the score using the Supplier Performance Risk System (SPRS). 2) It establishes the Cybersecurity Maturity Model Certification (CMMC) as the future  path for cybersecurity in the DIB and provides the timelines for its implementation. (We will cover the CMMC in much more detail in future posts.)

 

Now that we have all the government language and acronyms out of the way, we can boil it down to the bare facts:

  • If you are in the Defense Industrial Base (DIB) you are currently subject to the NIST SP 800-171.
    • You should have a score from within the last 3 years.
    • The score should be reported into the SPRS system.
  • The CMMC is coming and you should be getting prepared.
    • The good news is that the NIST SP 800-171 is wholly contained in the CMMC Maturity Level 3 (ML3) or above.
    • If you have and/or are currently working on your NIST SP 800-171 items, you will not be duplicating your efforts and cost.
    • The bottom line is that the NIST SP 800-171 is here to stay in the near-term and the CMMC is currently arriving and the reality of the future. When looking at NIST SP 800-171 and CMMC, I have seen the gamut of readiness. There have been organizations that did not know about 171. There have been organizations that were all over it and already dialing in their CMMC practices. The best advice I can give: If you feel like you may be behind, you probably are. There is an old Chinese proverb that states: “The best time to plant a tree was 20 years ago. The second best time is today.”

 

The bottom line is that the NIST SP 800-171 is here to stay in the near-term and the CMMC is currently arriving and the reality of the future. When looking at NIST SP 800-171 and CMMC, I have seen the gamut of readiness. There have been organizations that did not know about 171. There have been organizations that were all over it and already dialing in their CMMC practices. The best advice I can give: If you feel like you may be behind, you probably are. There is an old Chinese proverb that states: “The best time to plant a tree was 20 years ago. The second best time is today.”

 -David Malicoat Founder, BAMCIS Cyber 

Download our recent white paper, "Solving CyberSecurity's Achilles' Heel".

Thank you! You will receive an email withing 24-hours.

Share This