Now that you have the basics of CUI, I will turn the focus onto the new reporting requirements and explaining the interim rule.
As of November 30, 2020, the latest Department of Defense (DoD) Interim Rule requiring National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171) self-assessment reporting went into place. The interim rule establishes an amendment to Defense Federal Acquisition Regulation Supplement (DFARS) to implement a “DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC) framework” to better secure the sensitive information present throughout the DoD supply chain. What this means for DoD contractors and those pursuing contracts that require DFARS 252.204-7012 (DFARS 7012) compliance is that they will need to assess their current cybersecurity practices against the 800-171 controls, and then report their findings.
Who Needs To Submit The Self-Assessment?
The 800-171 self-assessment applies to companies that handle controlled unclassified information (CUI). If you do not handle CUI, then you are not subject to the 800-171 self-assessment requirement.
Note that if a contract requires a basic assessment and you do not have one in the system, you run the risk of not being awarded.
If you are pursuing an acquisition that does not include CUI in the contract, and you have not done a self-assessment, it is best, at minimum, to contact the procurement officer and advise that you do not handle nor expect to have CUI in the future and thus have not completed the self-assessment because it does not apply to you. You may still want to consider doing the self-assessment, though, as it will position you for future contracts that have CUI and better position you in case there is a misunderstanding of whether CUI will be handled or not.
There is a growing trend where contract vehicles are requiring self-assessment or CMMC in order to be considered for the vehicle. That’s why cybersecurity is the NextGen secret ingredient for business acquisition.
What Needs To Be In Place To Submit The Self-Assessment?
The self-assessment evaluates companies on their cybersecurity practices. Not all cybersecurity practices listed on the self-assessment need to be implemented when you submit the self-assessment, and you can re-submit your self-assessment as your cyber hygiene improves. In this way, the self-assessment gives you a roadmap of how to improve your company’s cybersecurity positioning.
With that being said, if your company handles CUI per DFARS 7012, you do need to have established a System Security Plan (SSP) for each covered contractor information system and a Plan of Actions and Milestones (POAM) for each area that is not implemented yet that explains how and when that requirement will be met.
While the SSP and POAM need to be available, you do not include the SSP or POAM with the self-assessment.
I want to caution you from jumping into the self-assessment before setting up your SSP and POAM. You may think that it’s best to just get the self-assessment out of the way, but the way that assessment is set up it will deduct points for items that are not yet in place.
Remember that the self-assessment interim ruling was made to protect companies from breaches and to protect our Defense Industrial Base. The trends are showing that good cyber hygiene, as shown through self-assessment and CMMC, is the next generation of federal contract requirements. It is best for your company to step up now and build strong cyber foundations so you’re prepared to compete for future contract vehicles, such as Polaris.
If your company does not have an SSP in place or you are not sure how to address the POAM, contact us to discuss our consulting services.
Next Up
So that is an overview of who needs to self-assess and in general what you need to have in place going into the self-assessment. In my next article, I will overview the SSP.
