CMMC – Enforcing the DFARS Standard by Alex Kirkpatrick | Jun 16, 2019CMMC – Enforcing the DFARS Standard Over the past several years, Department of Defense (DoD) contractors have consistently turned to Aerstone for DFARS compliance. The Defense Federal Acquisition Regulation Supplement (DFARS) clause, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (Section 252.204-7012), requires all DoD prime contractors and subcontractors to implement “adequate security” based on a set of security controls referenced in NIST SP 800-171, and to conduct cyber incident analysis and reporting. The wording of the clause is sufficiently broad as to require compliance by virtually any company doing business, as either a prime or subcontractor, with the DoD, across any industry (whether technical or non-technical). Aerstone’s customers have two options for compliance: they can elect a DFARS Readiness Assessment, a two to four weeklong engagement to identify major gaps in their System Security Plan (SSP) and Plan of Action & Milestones (POA&M), or a comprehensive DFARS assessment that addresses their full security posture. These services provide customers the confidence that if the DoD came knocking to enforce the DFARS standard, they would be ready. Aerstone can also provide consulting services to help DoD contractors remediate gaps. That time has come. Earlier this week, the DoD unveiled plans for a Cybersecurity Maturity Model Certification program. The new standards will have a five-level system and will combine guidance currently in place from the National Institute of Standards and Technology with new input from the Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. The standard will combine NIST SP 800-171, NIST SP 800-53, FIPS and other security control models. Once in place, DoD contractors, big and small, will need to be audited by at third-party assessor to ensure compliance. The program also will include a cybersecurity education and training center. Unlike prior years, contracting authorities will not accept only an SSP and POA&M as compliance for DFARS 252.204-7012 — contractors will also be evaluated based upon the implementation of technical controls. These evaluations will lead to a level certification of 1 to 5, 5 being the most secure. The higher the level of certification, the more contracts you will be eligible to bid on. Future RFPs will reflect what level is needed by DoD for each contract. The CMMC standard could be published as early as late June 2019 and is scheduled to be implemented by January 2020. Want to get a head start? Reach out to Aerstone today so we can work together to understand your path to compliance. For customer and partnership inquiries, please contact us email@example.com. For more information on the DFARS standard, please visit https://aerstone.com/assess/dfars-compliance/.