Cybersecurity Compliance (and CMMC)
- Learn about NIST 800-171 requirements (currently applicable to all levels of DoD contractors including – including lower tier subcontractors): https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- Controlled Unclassified information (CUI): https://www.archives.gov/cui
- DoD CUI: https://www.dodcui.mil/Home/DoD-CUI-Registry/
- Training on CUI: https://www.archives.gov/cui/training.html or https://www.dodcui.mil/
- Learn about Cybersecurity Maturity Model Certification (CMMC):
- Utilize Project Spectrum (funded by DoD OSBP to educate small business on CMMC): https://projectspectrum.io/ so you can be ready for future (and some current) contract requirements.
- The Office of the Under Secretary of Defense for Acquisition and Sustainment: https://dodcio.defense.gov/CMMC/
- Follow the CMMC AB (accreditation body) for news: https://cmmcab.org/
- TO BE COMPLIANT:
- Contact your local PTAC counselor to make sure you understand how it applies to you and the process. Virginia clients email ptac@gmu.edu if you don’t know your counselor.
- Create a System Security Plan (SSP) – template available on link #1 above from NIST
- If applicable create a Plan of Action and Milestones (POAM) – template available on link #1 from NIST
- Perform your Basic (self) Assessment against NIST 800-171: https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
- Publish your results from the NIST 800-171 Basic (self) Assessment into the Supplier Performance Risk Management System (SPRS): https://www.sprs.csd.disa.mil/
- If applicable, locate an official Certified 3rd Party Assessment Organization (C3PAO) to perform a CMMC 2.0 level 2 assessment (get multiple quotes on the open market to see how much it will cost for the assessment): https://cmmcab.org/marketplace/
Other resources:
- CMMC_Level_1_Readiness_Checklist from our colleagues at the Del Mar College PTAC
- CMMC Self Assessment Checklist in Excel including POAM template
- Compliance with DFARS cybersecurity clause training created by the Georgia Tech PTAC: https://gtpac.org/cybersecurity-training-video/
- GENEDGE resources: https://www.genedge.org/resources/cybersecurity-materials/
- Comprehensive blog article with resources: NIST and DFARS and Cyber Compliance (oh my)!
- Cybersecurity update presentation featured at DoD’s Beyond Phase II Mentor-Protégé Training Week (BPIIMPTW18) conference in Orlando, August 2018
- Article from National Defense Feb 2019
- Blue Cyber (Air Force cybersecurity education and outreach)
- Center for Development of Security Excellence Training by DCSA
Posted in: