ArchiveOODA Original

The Smart Way For Contractors To Meet New DoD CMMC and DFARS Requirements

Any company that seeks to do business with the Department of Defense, including subcontractors, must comply with new regulations designed to reduce the risks to the nation of cyber threats.

Changes to government rules over the last 5 years have included a steadily increasing number of technical requirements for security programs, new requirements to report to government if there is a breach of systems, and requirements to be able to conduct forensics if there is a need for an investigation.

And in perhaps the most significant change in years the DoD is also requiring inspections of companies to ensure they are complying.

The good news for contractors is that the cost of complying with government mandates does not have to be high when done smartly. And those costs are legitimate business expenses that can be taken into account when calculating government rates (costs are considered allowable under the Federal Acquisition Regulation Cost Accounting Standards). So really the art form here is to be smart when complying with government rules. Being smart will help reduce the cyber risk to your own company, and, if you do it in a serious way, it will help the government know you are the kind of business they want to contract with.

Here is more background:

The Defense Federal Acquisition Regulations (DFARS) requires that all companies doing business with government have a systems security plan that describes how security measures will be put in place. This plan is to be compliant with the many controls in the NIST document known as NIST SP 800-171.

The DFARS also requires that contractors put in place monitoring to be able to detect if a breach has required. Contractors must be able to detect unauthorized access.

DFARS also required that incident response plans be put in place. These include reporting requirements. When a breach is detected, contractors must detect it and report it.

A new government program, called the Cybersecurity Maturity Model Certification (CMMC), is a way of measuring compliance with existing regulations. The CMMC builds on previous work, so there are no real surprises here, but it does change things. The CMMC puts in place requirements for DoD contractors to have their compliance with security rules evaluated. The goal is to measure compliance in a way that generates repeatable metrics and helps both the government and contracting world make better decisions regarding mitigating security risk. The CMMC is an assessment and certification program that will require independent assessments.

Recommendations for CEOs In The Government Contracting Sector:

  • Your team should build the Systems Security Plan required by DFARS, but you should take a personal interest in it.  If you have a plan just to meet government requirements it is probably not a very good plan. It should contain descriptions of your managerial policies and operational procedures and be based on your unique business needs.
  • Seek independent input on your security program. Your own internal team is very likely smart and on top of security. But it is not fair to ask them for unbiased views on how they are doing regarding security.
  • Find the right managed security services firm to provide expert security monitoring of your IT systems. We work with the best and can refer you to experts in this field with experience providing security monitoring for contractors in the DoD space. This is the most efficient way to run a program compliant with government regulations and will result in you having a security program that is economical and requires every little management overhead.

Most important recommendation for the executive in the defense contracting space: Get in touch and let us know what your questions are.

Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes OODALoop.com. Bob is the co-host of the popular podcast The OODAcast. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.