DFARS 252.204-7012 Compliance
Are you the weakest link ?
n response to the recent executive orders and growing pressure from high profile government data breaches, DOD Issued the Final DFARS Rule on Network Penetration and Cloud Computing on October 2016. The final ruling requires covered contractors to implement certain cybersecurity safeguards and report data breaches within 72 hours and adopt NIST SP 800-171 as the baseline for covered information system security requirements.
DFARS Compliance Requirements
The Final rule includes the following Provisions and Clauses::
- Subpart 204.73 – Safeguarding Covered Defense Information and Cyber Incident Reporting
- Subpart 239.76 – Cloud Computing
- 252.204-7008 – Compliance with Safeguarding Covered Defense Information
- 252.204-7009 – Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
- 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
- 252.239-7009 – Representation of Use of Cloud Computing
- 252.239-7010 – Cloud Computing Services
- Details are posted in our blog and CKSS White paper
CKSS provides a wide variety of DFARS services. Fill out the form to the right, to receive this white paper on DFARS Compliance.
he rule will affect many government contractors whose services are associated with sensitive information. For further information on NIST SP 800-171, see the CKSS white paper and our blog .
At CKSS, we understand DFARS 252.204-7012 compliance and how it can help your business become more secure. We have expertise to help you achieve and maintain compliance.
Our firm is focused on organizations who are facing cyber threats and regulatory compliance requirements with minimal or no dedicated IT security personnel.
Our proprietary methodology is based on the NIST Risk Management Framework and Best Practice. We provide the following services:
- Align security needs with business needs, planning cycles, and financial constraints.
- Balance your information technology operational needs with security initiatives.
- Develop a time-phased compliance Roadmap Strategy to get a buy-in from top leadership
- Conduct an analysis of the infrastructure to determine Roadmap for compliance. Adopt a time-phased approach to educate C-suite, upper management, and other stakeholders on assessment process.
- Creation of NIST 800-171 Security Compliance Framework.
DFARS Compliance Risk Assessment
- Conduct a Third-Party Risk Assessment for clients that haven’t used our remediation services.
- Conduct Continuous Monitoring activities as part of “Security as a Managed Service.”
DFARS 252.204.7012 Templates
- Development of compliance artifacts is only a portion of DFARS 252.204-7012 Compliance. CKSS has an array of Customized DFARS templates to assist organizations in documenting compliance to252.204.7012. Click here for more details.
WHERE TO TURN… WHEN DFARS 252.204.7012 COMPLIANCE MATTERS ? call 443-459-1589 or contact us
What is CMMC ?
Cybersecurity Maturity Model Certification, abbreviated as “CMMC,” is a new standard developed by US Department of Defense (DOD) Office of the Under Secretary of Defense for Acquisition & Sustainment (https://www.acq.osd.mil/cmmc/draft.html).
CMMC provides oversight for the implementation of DFARS 252.204-7012 and NIST SP 800-171 that were previously based on self-certification. The CMMC framework measures cybersecurity maturity with five levels and aligns a set of processes and practices in regards to the types and sensitivity of information to be protected.
For more details on the CMMC Framework and answers to FAQsClick to Learn More
CMMC is managed by the CMMC Accreditation Body (CMMC-AB) (https://www.cmmcab.org/) CMMCS-AB provides guidance and oversight and is tasked to manage Assessor Certification, Third Party Assessor Organization (3PAO) Registration and Training. The CMMC-AB is responsible for training and certifying the third-party assessment organizations (“C-3PAOs”) that conduct cybersecurity assessments of DoD contractors.
DoD expects the CMMC-AB to set up a marketplace of C-3PAOs on its website in 2020. Companies will use the marketplace to obtain information on the various C-3PAOs and schedule assessments for needed certification levels. DoD expects this to be sufficient time to allow companies to obtain the relevant certification before a contract is awarded.
In order for a system to be CMMC certified, only CMMC approved assessors may be engaged in the certification process.
Timing for Certification Requirement
By end of Fiscal Year 2026, CMMC certification will be required for any company doing business with DOD, either as a prime contractor or a lower-tier subcontractor. DOD will work with agencies to identify pilot programs that will initially implement CMMC requirements, and a complete rollout will occur during FY 2021 to 2025, with all DOD contracts incorporating the requirements by FY 2026.
EVERYONE DOING BUSINESS WITH DOD HAS TO WAIT FOR THE DOD DFARS RULE CHANGE BEFORE THEY CAN INCLUDE THE NEW CMMC MANDATE.
DOD’s phased rollout gives industry a bit of a reprieve; however, all DOD contractors and subcontractors must still begin preparations for the CMMC as DOD puts backend ecosystem in place. DOD intends to implement the CMMC requirements using a mix of Levels 1 to 5, explained below. The required CMMC level will be found in sections L & M of future DOD Request for Proposals (RFP), and the DOD agency will have the discretion to specify the certification level required at award.
ACCORDINGLY, CONTRACTORS AT EVERY LEVEL WITHIN THE CMMC FRAMEWORK NEED TO START PREPARING FOR IMPLEMENTATION.
Structure of CMMC Framework
The CMMC levels are commensurate with the type and sensitivity of information to be protected. As a result, the CMMC levels are categorized as follows:
- Level 1: Safeguard Federal Contract Information (FCI). This level focuses on protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
- Level 2: Serves as transition step in cybersecurity maturity progression to protect CUI (Basic Safeguarding of Covered Contractor Information Systems). This level focuses on the establishment of policies and procedures to achieve CMMC Level requirements.
- Level 3: Protect Controlled Unclassified Information (CUI). This level focuses on establishing and maintaining plans for CMMC practices. In addition, contractors must implement all the security requirements stipulated in NIST SP 800-171 and DFARS 252.204-7012.
- Level 4-5: The level focuses on protecting CUI and reducing the risk of advanced persistent Threats (APTs).
Relationship between NIST SP 800-171 and CMMC
CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 Rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense,” and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
Differences between NIST SP 800-171 and CMMC
Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as others specified in lower levels. In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.
CMMC has added 20 new CMMC controls and the following new domains:
- Asset Management
- Situational Awareness
Source for CMMC Practices Per Level
Roadmap to Compliance
Many DOD contractors are familiar with DFARS/NIST SP 800-171 requirements; therefore, implementing additional controls should not be difficult for most. The level of effort required will depend on the CMMC certification level. Most DOD contracts will be assessed at Levels 1 and 3. Levels 4 and Level 5 are considered highly strenuous and are geared towards higher-tier DOD contractors.
For more details on the DFARS/NIST SP 800-171/CMMC RoadmapClick to Learn More
The first step is to conduct a gap analysis of the infrastructure to determine the required roadmap for compliance. This step incudes adopting a time-phased approach to educate C-suite, upper management, and other stakeholders on the compliance requirements and the documentation of non-compliance controls using a Plans of Action and Milestones (POAM) spreadsheet and establishing a project plan for remediation.
The second step is remediation which encompasses the creation of the DFARS/NIST 800-171/CMMC Security Program. The preparation tasks in this step are resource intensive and require dedicated personnel. Many contractors bring on board a managed services security company to take care of some of the remediation tasks, including providing engineering support and authoring compliance documentations. As an example, the remediation phase for Level 3 can take many months to accomplish, as it may require re-designing of the network, acquisition, and configuration of tools and authoring of compliance documents. Bear in mind that the System Security Plan is the last document to be authored after an organization has fully implemented all the technical and administrative safeguards.
To spread out the cost of implementation, organizations should adopt a phased approach in standing up a SP 800-171/DFARS security program.
The third step is the preparation for CMMC certification where contractors conduct an internal readiness assessment or hire a consultant for assistance. Per the CMMC-AB, organizations should commence at least six months prior to starting the certification process to save on time and resources.
AFTER THE CMMC ASSESSMENT, ORGANIZATIONS HAVE 90 DAYS TO REMEDIATE CMMC FINDINGS BEFORE A CERTIFICATION IS ISSUED.
To meet compliance best practices, contractors should consider the following CMMC Level 3 suggested Roadmap:
CKSS DFARS/NIST SP 800-171/CMMC Solution
CKSS has many years of experience working with contractors of all sizes. Our team of specialists have extensive experience helping small to medium organizations implement and maintain robust information security programs. This work is in addition to helping organizations achieve and maintain compliance with FISMA, DFARS/NIST SP 800-171/CMMC, NISPOM, FedRAMP, ISO 27001, HIPAA, PCI DSS and other state-level and national regulations.
For Key Highlights, Compliance, and Cloud OfferingsClick to Learn
Conduct Gap Analysis for FedRAMP, DFARS 252.204-7012, NISPOM, HIPAA , and ISO 27001; PCI/DSS risk assessments; security assessments and authorizations (C&A); NIST framework governance for many government agencies; DFARS/NIST SP 800-171/CMMC, remediation and continuous monitoring; and audits for critical security controls, independent verification and validation (IV&V), OMB-123, FISMA, and HIPAA.
Authored many FedRAMP and NIST 800-53 security documents and set up NIST Security Programs for numerous Federal Agencies in the DC metropolitan area.
CKSS has compiled a suite of DFARS 252.204-7012/ NIST 171/CMMC compliance templates to help DOD contractors get started on their remediation activities and save valuable time. The templates CKSS provides are 80 percent prepopulated with comments and instructions and are based on security best practices.
CKSS will aid in eliminating the stress and headache that can comes with doing it yourself. For further information, click here.
Our Comprehensive Compliance Solutions include:
IT AUDITS/ASSESSMENTS & COMPLIANCE SERVICES
- Advisory Services
- DFARS/NIST 800-171 Remediation Support
- DFARS/NIST 800-171/CMMC Templates
- DFARS/NIST 800-171 Gap Analysis
- CMMC Pre-Assessment/Readiness
- Cloud Computing Assessments
- Actionable Audit Deliverables
- Virtual Chief Information Security Officer [vCISO)
- Vulnerability Management
- IT Engineering/Infrastructure and Maintenance Support
- Business Continuity
- DFARS/NIST 800-171/CMMC Compliance Documents
- Actionable Gap Analysis Strategic Roadmap Report
- Policies and Procedures
- Security Plan documents
- System Security Plan
- Plans of Action and Milestones (POAMS)
CKSS DFARS/NIST 800-171/CMMC CLOUD OFFERINGS
CKSS understands the role of Cloud technology in assisting small to medium businesses in addressing government security and compliance mandates. CKSS has partnered with other renowned Cloud Consulting Companies to provide the following Cloud-related services:
- Office 365 GCC High Services
- Office 365 GCC High Migration
- 365 GCC High Implementation
- Customized platform that adheres to DFARS/NIST 800-171/CMMC Requirements
- Standard Operating Procedures for backend operations
- Compliance deliverables
- AWS/Azure Gov Cloud Services
- Cloud Assessment and Strategy/Roadmap
- Cloud Transformation and Migration
- Creation of DFARS 252.204-7012/NIST 800-171/CMMC Enclave
- Cloud Operations and Optimization
- Security and Compliance
- Audits/Assessments & Remediation
- Standard Operating Procedures for backend operations
- Compliance deliverables
Industry Experience and Certifications
CKSS has adopted a strategic approach to security by establishing an enterprise-wide Corporate Risk, Information Security, and Privacy Function program that can help organizations of any size respond to DFARS 252.204-7012 requirements.
CKSS employs top of the line data protection solutions for data at rest and in transit. E-mails and attachments are encrypted using FedRAMP certified solutions. Zipped files are compressed using FIPS 140-2 software. Client data is destroyed using secure tools after the conclusion of an engagement.
We have years of experience working with contractors of all sizes. Our team of specialists have extensive experience in helping small to medium organizations implement and maintain robust information security in addition to helping them achieve and maintain compliance with FISMA, DFARS 252.204-7012, NISPOM, HIPAA, PCI DSS, and other state-level and national regulations.
We have conducted FedRAMP Gap Analysis, DFARS 252.204-7012 Gap Analysis, NISPOM Gap Analysis, HIPAA Gap Analysis, ISO 27001 Gap Analysis, Infrastructure Audits, PCI/DSS Risk Assessments, Security Assessment and Authorization (C&A), NIST Framework Governance, DFARS 252.204-7012 Remediation, and Continuous Monitoring.
Our security professionals have successfully implemented various security tools, cloud transformations, DecSecOps processes, network designs, firewalls, IDS/IPS, vulnerability and configuration management.
Our consultants have industry’s most prestigious certifications such as:
- Certified Information System Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified GIAC Systems and Network Auditor (GSNA)
- Certified Risk Information Systems Control (CRISC)
- AWS Certified Solutions Architect—Associate (AWS-SAA)
- AWS Certified Solutions Architect-Professional (AWS-SAP)
- AWS Certified Developer—Associate (AWS-DA)
- AWS Certified SysOps Administrator
- AWS Certified Cloud Practitioner (AWS-CLF)
- Scaled Agile Framework (SAFe)
- Certified ITIL Foundations, V3
- Certified Information and Certified Information Security Manager (CISM)
- Cisco Certified Network Administrator – (CCNA)
- Project Management Professional – (PMP)
Development of compliance artifacts is only a portion of DFARS 252.204-7012 Compliance. Compliance entails purchasing and enhancement of tools, implementation of new technologies, and documentation of processes. Rule of thumb is to start with Gap Analysis followed by Remediation Activities.
CKSS has compiled a suite of DFARS 252.204-7012 compliance templates to help DOD Contractors get a jumpstart on their Remediation activities as well as ensure continued compliance. By buying compliance templates, you are saving your organization time and money since all the templates have already been created and conveniently grouped together for you.
The toolkit templates were developed by a team of experts with extensive experience in NIST 800-53 and NIST 800-171 consulting and auditing.
Choose the template package that fits your needs based on our wide array of templates. There are over 76 documentation templates and guidance documents included. The templates are easy to fill in with a lot of Best Practice instructions included. Each document contains comments that specify what should be included or omitted. The templates are created in MS Word, Excel, and PowerPoint and are easily customized. All the policies, procedures, and security plans have a similar structure- introductory, scope, definitions, headers, and footers etc.
Below is an example of one of our templates. Currently CKSS offers four different toolkits:
- System Security Plan Toolkit
- Contingency Plan and Incident Response Toolkit
- Policies and Procedures Toolkit
- Full Compliance Toolkit
Templates purchased via PayPal or Square are available for download as soon as you have checked out. For more details about what is included in each of these packages click the button to the right.
CKSS is proud to be certified as a Qualified Maryland Cybersecurity Seller in support of The Maryland Defense Cybersecurity Assistance Program (DCAP). The program provides funding and assistance for Defense Contractors to comply with the DFARS 252.204-7012 and NIST 800-171 Requirements.
The DCAP program is funded by the Department of Defense’s Office of Economic Adjustment (OEA) through the Maryland Department of Commerce and is being coordinated by the MD Manufacturing Extension Partnership (MEP). Defense contractors in Maryland generate more than $57 Billion in economic impact and the DCAP program will help these contractors comply with the Federal regulations necessary to continue providing services to the Federal Government.
Defense Contractors may claim a tax credit for 50% of the net purchase price of cybersecurity technologies and services (Gap Analysis or Advisory Services) purchased from CKSS. The tax credit must be claimed for the tax year in which a purchase is made.
CKSS is a service provider specializing in Compliance, IT audits, Cloud Transformations, DevSecOps, and Managed Security Services. We have more experience than our competitors. In addition, we have a proven methodology and array of DFARS 252.204.7012 Templates (USPTO Copy Right Registered) that specifically address NIST 800-171 Requirements.
CKSS provides the following managed services that can qualify for reimbursement under DCAP.
Complete the form below to download our DFARS White Paper and schedule
your FREE DFARS GAP Consultation
or call 443-459-1589.