Is your company located in Virginia?

Cybersecurity Compliance (and CMMC)

1. Learn about NIST 800-171 requirements (currently applicable to all levels of DoD contractors including – including lower tier subcontractors): https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
   • Controlled Unclassified information (CUI): https://www.archives.gov/cui
   • DoD CUI: https://www.dodcui.mil/CUI-Registry-New/
   • Training on CUI: https://www.archives.gov/cui/training.html or https://www.dodcui.mil/
2. Learn about Cybersecurity Maturity Model Certification (CMMC):
   • Utilize Project Spectrum (funded by DoD OSBP to educate small business on CMMC): https://projectspectrum.io/ so you can be ready for future (and some current) contract requirements.
   • The Office of the Under Secretary of Defense for Acquisition and Sustainment: https://dodcio.defense.gov/CMMC/
   • CMMC Documentation (Model, Scoping Guide, Assessment Guide): https://dodcio.defense.gov/CMMC/Documentation/
   • DIBCAC Assessment Information: https://www.dcma.mil/DIBCAC/
3. Follow the CMMC AB (accreditation body) for news: https://cmmcab.org/
   • Understand the CMMC ecosystem: https://cyberab.org/CMMC-Ecosystem/What-is-CMMC
   • Bookmark the CMMC Marketplace: https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending
4. TO BE COMPLIANT:
   • Contact your local APEX Accelerator counselor to make sure you understand how it applies to you and the process. Virginia clients email apex@gmu.edu if you don’t know your counselor.
   • Create a System Security Plan (SSP) – template available on link #1 above from NIST
   • If applicable create a Plan of Action and Milestones (POAM) – template available on link #1 from NIST (look under Documentation)
   • Perform your Basic (self) Assessment against NIST 800-171 – instructions and documents available on link #1 above from NIST (look under documentation)
   • Publish your results from the NIST 800-171 Basic (self) Assessment into the Supplier Performance Risk Management System (SPRS): https://www.sprs.csd.disa.mil/ and review FAQ: https://www.sprs.csd.disa.mil/faqs.htm#nist
   • If applicable, locate an official Certified 3rd Party Assessment Organization (C3PAO) to perform a CMMC 2.0 level 2 assessment (get multiple quotes on the open market to see how much it will cost for the assessment): https://cmmcab.org/marketplace/

Other resources:

• CMMC_Level_1_Readiness_Checklist from our colleagues at the Del Mar College PTAC
• CMMC Self Assessment Checklist in Excel including POAM template
• Compliance with DFARS cybersecurity clause training created by the Georgia Tech PTAC: https://gtpac.org/cybersecurity-training-video/
• GENEDGE resources: https://www.genedge.org/resources/cybersecurity-materials/
• Blue Cyber (Air Force cybersecurity education and outreach) Check out a flier on their resources including weekly events and monthly bootcamps: https://virginiaptac.org/wp-content/uploads/2023/09/BlueCyber-Services-Flyer.pdf
• Center for Development of Security Excellence Training by DCSA

Link: