SSP Archives - Virginia PTAC at George Mason University, an APEX Accelerator Virginia PTAC at George Mason University, an APEX Accelerator

Cybersecurity Compliance (and CMMC)

Posted by Elizabeth on September 25, 2018

Learn about NIST 800-171 requirements (currently applicable to all levels of DoD contractors including – including lower tier subcontractors): https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- Controlled Unclassified information (CUI): https://www.archives.gov/cui
- DoD CUI: https://www.dodcui.mil/CUI-Registry-New/
- Training on CUI: https://www.archives.gov/cui/training.html or https://www.dodcui.mil/
Learn about Cybersecurity Maturity Model Certification (CMMC):
- Utilize Project Spectrum (funded by DoD OSBP to educate small business on CMMC): https://projectspectrum.io/ so you can be ready for future (and some current) contract requirements.
- The Office of the Under Secretary of Defense for Acquisition and Sustainment: https://dodcio.defense.gov/CMMC/
- CMMC Documentation (Model, Scoping Guide, Assessment Guide): https://dodcio.defense.gov/CMMC/Documentation/
- DIBCAC Assessment Information: https://www.dcma.mil/DIBCAC/
Follow the CMMC AB (accreditation body) for news: https://cmmcab.org/
- Understand the CMMC ecosystem: https://cyberab.org/CMMC-Ecosystem/What-is-CMMC
- Bookmark the CMMC Marketplace: https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending
TO BE COMPLIANT:
- Contact your local APEX Accelerator counselor to make sure you understand how it applies to you and the process. Virginia clients email apex@gmu.edu if you don’t know your counselor.
- Create a System Security Plan (SSP) – template available on link #1 above from NIST
- If applicable create a Plan of Action and Milestones (POAM) – template available on link #1 from NIST (look under Documentation)
- Perform your Basic (self) Assessment against NIST 800-171 – instructions and documents available on link #1 above from NIST (look under documentation)
- Publish your results from the NIST 800-171 Basic (self) Assessment into the Supplier Performance Risk Management System (SPRS): https://www.sprs.csd.disa.mil/ and review FAQ: https://www.sprs.csd.disa.mil/faqs.htm#nist
- If applicable, locate an official Certified 3rd Party Assessment Organization (C3PAO) to perform a CMMC 2.0 level 2 assessment (get multiple quotes on the open market to see how much it will cost for the assessment): https://cmmcab.org/marketplace/

Other resources:

CMMC_Level_1_Readiness_Checklist from our colleagues at the Del Mar College PTAC
CMMC Self Assessment Checklist in Excel including POAM template
Compliance with DFARS cybersecurity clause training created by the Georgia Tech PTAC: https://gtpac.org/cybersecurity-training-video/
GENEDGE resources: https://www.genedge.org/resources/cybersecurity-materials/
Blue Cyber (Air Force cybersecurity education and outreach) Check out a flier on their resources including weekly events and monthly bootcamps: https://virginiaptac.org/wp-content/uploads/2023/09/BlueCyber-Services-Flyer.pdf
Center for Development of Security Excellence Training by DCSA

Posted in: