Cybersecurity standards are collections of best practices that are designed to protect organizations from cyber threats. There are many different cybersecurity standards, but two that are critical if your company is part of the supply chain for the U.S. Department of Defense (DoD). Even if you don’t do business with DoD directly, you need to know about NIST 800-171 and CMMC. If your organization is not compliant, you risk losing existing contracts and the ability to bid on future RFQs.
NIST 800-171
NIST 800-171 is a special publication (SP) from the National Institute of Standards and Technology (NIST), a physical sciences laboratory and non-regulatory agency that is part of the U.S. Department of Commerce. NIST 800-171 is a cybersecurity standard rather than a regulatory requirement, but it’s commonly understood to establish a minimum level of good cybersecurity practice. For members of the DoD supply chain, this guidance is akin to a requirement in practical terms. Otherwise, you won’t meet DFARS requirements for cybersecurity.
The Defense Federal Acquisition Regulation Supplement (DFARS) is a DoD publication that sets the rules for participating in defense contracts. DFARS 252.204-7012, a clause in this document, contains a section that states: “the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171”. This language isn’t new; all contractors have been responsible for complying with NIST SP 800-171 since December 31, 2017. What’s changing, however, involves something called CMMC.
CMMC
Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard that adds a verification component to the cybersecurity requirements in DFARS 252.204-7012. CMMC is unified because it combines various cybersecurity standards and establishes a model framework. Domains within this framework are mapped to capabilities that contain practices and processes. Importantly, CMMC establishes different levels so that the cybersecurity requirements for a small machine shop are simpler and easier to meet than those for a Tier 1 original equipment manufacturer (OEM).
Federal Computer Week (FCW), a magazine that covers the business of federal technology, recently reported on a rule in the Federal Register that will take effect on November 30, 2020 and require all DoD contracts to ensure CMMC compliance by October 21, 2025. FCW’s article cites Wiley Rein, a law firm in Washington D.C. which has published an analysis that states: “under this framework, contractors will be required to complete a self-assessment of their compliance with NIST SP 800-171 before they can receive DoD contracts.”
Help is Available
If you are a New York State manufacturer that is part of the DoD supply chain, help is available so that you can complete a NIST 800-171 self-assessment. Under a grant from Empire State Development, the Advanced Institute of Manufacturing (AIM) at Mohawk Valley Community College (MVCC) has partnered with FuzeHub to create a cohort of 320 DoD supply chain manufacturers that will receive cyber assistance and training. Of these 320 cohort manufacturers, 67 will be eligible for a grant for a personalized cybersecurity risk assessment according to the DFARS cybersecurity requirements in NIST SP 800-171.
Membership in the cybersecurity cohort is free, but space is limited so learn more and apply to join today. Then, if you’re ready to learn more about cybersecurity standards for defense contractors, don’t miss our Industry Standards and Requirements webinar on Tuesday, October 27 at 11 AM.
