Cybersecurity Compliance (and CMMC) « Virginia PTAC at George Mason University

Cybersecurity Compliance (and CMMC)

Posted on September 25, 2018

Learn about NIST 800-171 requirements (currently applicable to all levels of DoD contractors including – including lower tier subcontractors): https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- Controlled Unclassified information (CUI): https://www.archives.gov/cui
- DoD CUI: https://www.dodcui.mil/Home/DoD-CUI-Registry/
- Training on CUI: https://www.archives.gov/cui/training.html or https://www.dodcui.mil/
Learn about Cybersecurity Maturity Model Certification (CMMC):
- Utilize Project Spectrum (funded by DoD OSBP to educate small business on CMMC): https://projectspectrum.io/ so you can be ready for future (and some current) contract requirements.
- The Office of the Under Secretary of Defense for Acquisition and Sustainment: https://www.acq.osd.mil/cmmc/
Follow the CMMC AB (accreditation body) for news: https://cmmcab.org/
TO BE COMPLIANT:
- Contact your local PTAC counselor to make sure you understand how it applies to you and the process. Virginia clients email ptac@gmu.edu if you don’t know your counselor.
- Create a System Security Plan (SSP) – template available on link #1 above from NIST
- If applicable create a Plan of Action and Milestones (POAM) – template available on link #1 from NIST
- Perform your Basic (self) Assessment against NIST 800-171: https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
- Publish your results from the NIST 800-171 Basic (self) Assessment into the Supplier Performance Risk Management System (SPRS): https://www.sprs.csd.disa.mil/
- Locate an official Certified 3rd Party Assessment Organization (C3PAO) to perform a CMMC level assessment (get multiple quotes on the open market to see how much it will cost for the assessment): https://cmmcab.org/marketplace/

Other resources:

CMMC_Level_1_Readiness_Checklist from our colleagues at the Del Mar College PTAC
CMMC Self Assessment Checklist in Excel including POAM template
Compliance with DFARS cybersecurity clause training created by the Georgia Tech PTAC: https://gtpac.org/cybersecurity-training-video/
GENEDGE resources: https://www.genedge.org/resources/cybersecurity-materials/
Comprehensive blog article with resources: NIST and DFARS and Cyber Compliance (oh my)!
Cybersecurity update presentation featured at DoD’s Beyond Phase II Mentor-Protégé Training Week (BPIIMPTW18) conference in Orlando, August 2018
Article from National Defense Feb 2019

Link:

Posted in: