The DFARS Interim Rule is tough reading, dry even for seasoned security wonks. Do it in "chunks," advised Darren King, Director at the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in a recent Exostar webinar on the new rule. King was the lead presenter, and probably left a number of jaws on the floor with his further recommendation to “burn their POAMs down.”
That’s because King hammered home the need to have an assessment on record in the DoD’s Supplier Performance Risk System (SPRS) to be eligible for an award, subcontract, or contract extension or modification. It might not apply to everyone in the Defense Industrial Base (DIB), but he couldn’t stress how no score, could mean no contract going forward. The Interim rule became a reality back on November 30th. A month later, many are scrambling, more are confused. Again, King’s words.
Interesting factoid: Did you know that getting to level 1 of CMMC compliance is a "pre-award" activity and NIST SP 800-171 is a "post-award" activity? The award, of course, being a contract. Here’s one way to think about it: CMMC is like a driver’s license that gets you to the starting line. From there, you need to decipher what protecting controlled unclassified information (CUI) means.
Now that it’s out there, let's talk about what constitutes CUI … trick question, it depends on what your company does. One thing it's not is Commercial Off The Shelf products, aka COTS (i.e. stuff you’ll find at Home Depot). At the other end of the spectrum, things like technical builds and components for the military, etc. appears more clear-cut CUI.
Then there’s everything in between that no one seems sure about: The engineering drawings without “correct” markings, the “sensitive” documents in unsecured shredders, the seemingly “generic” parts your engineer tweaked per a Prime contractor’s specs. A little more clarity on the part of the government seems in order.
Going back to King’s presentation, he confessed that what we all need is better training as procurement officials. Nevertheless, even if not defined coming directly from the military, CUI is your responsibility to protect. If you’re pondering just protecting all of it, that comes at a cost and could hardly be feasible.
As a RPO watching the seminar, we couldn’t help but notice the emphasis on this next point: have a conversation with your CEO and Contractor's officers. You may need to think differently about "enclaves" while striving to understand best way to utilize them. Scroll down to page 6 of the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements for this nugget for inspiration to have that talk:
“The cost of these CMMC assessments will be driven by multiple factors including market forces, the size and complexity of the network or enclaves under assessment, and the CMMC level.”
Although, King opened the webinar by asserting that DFARS, 252.204.7012 not going away: as much as many would like it to, he gave the best advice right up front—read it for yourself!
Did you know that Dox Is an Exostar Partner? We pointed to Exostar’s Risk Management Suite for cybersecurity audits back in a May blog post to nudge organizations intending to conform to NIST SP 800-171within DIB towards the inevitable conclusion to ascertain their score. Back then it was about getting ahead of the competition, now it may be more about catching up to them.
For more information about CMMC, CUI or to schedule a cybersecurity audit that won’t be a pass/fail situation, contact Dox Electronics at (585) 473-7766.