This has been an action-packed year in the world of the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements.
We first saw an announcement at the beginning of the year that the Department of Defense Office of Inspector General would be conducting audits of defense contractors’ adherence to the NIST SP 800-171 control set.
Somewhat more recently we learned of the first prosecution of a defense contractor under the False Claims Act. Aerojet Rocketdyne Inc. is being prosecuted for attesting that they were fully compliant with NIST SP 800-171 when in fact they were in a state of significant non-compliance.
Most recently we have seen the release of a draft version of the new NIST 800-171 standard, Revision 2, along with a companion publication, NIST SP 800-171B. The Department of Defense has also announced the Cybersecurity Maturity Model Certification (CMMC).
The introduction of NIST SP 800-171B is particularly interesting. The publication, titled “Enhanced Security Requirements for Critical Programs and High-Value Assets” includes 35 new security requirements designed to help defense contractors protect against Advanced Persistent Threats (APTs) like those seen from state-sponsored hackers. It’s unclear at this point when the requirements of this publication will be scoped into contracts.
The CMMC is designed to address complaints from contractors and subcontractors that the existing requirements represent too broad of a brush for the widely varied defense industrial base. As of today, the same requirements apply to both Raytheon and Joe’s Machine Shop. The current framework allows for organizations to do some level of customization of the implementation of the requirements, but compliance is still rather binary. The CMMC seeks to change that by adding a maturity scale on top of the requirements, allowing contracting officers to decide which levels are required for certain contracts, and establishing strata to provide a roadmap for organizations to graduate to a higher level of security.
The DoD is establishing plans to allow third-party auditors to perform the Cybersecurity Maturity Model Certification.
The last bit of news relevant for DoD contractors is that the DoD will now consider cybersecurity an allowable cost for certain types of contracts. That means contractors can potentially submit the costs of their DFARS cybersecurity compliance efforts for reimbursement by the DoD.
We are tracking all of these issues and will be posting updates as they unfold.
As always, don’t hesitate to reach out to our experts here at OCD Tech for any questions on your IT security and IT compliance needs.
