Thank you, again, for joining this next installment that will discuss NextGen federal contracting. In my last article, I discussed why we have the DFARS self-assessment and who needs to file it. Today, I will focus on the pieces you need to have in place so you can file your self-assessment.
To summarize my previous posts, Department of Defense (DoD) contractors and those pursuing contracts that require DFARS 252.204-7012 compliance will need to assess their current cybersecurity practices against the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171) controls, and then report their findings.
The self-assessment is going to ask questions about the prime or subcontractor’s System Security Plan (SSP). I will discuss some of the major components of the SSP so you can be prepared.
The SSP describes computer systems and identifies all connections that hold or access controlled unclassified information (CUI). It also identifies which users can and cannot access data, states whether there is a firewall and if there are file servers.
The Federal Risk and Authorization Management Program (FedRAMP) provides document templates to help companies develop SSPs.
When complete, the SSP will describe how security policies, practices, and policies are being implemented according to each of the requirements contained in 800-171. For items that have not yet been implemented, you will need to create a Plan of Action and Milestones (POAM) to detail what step(s) will be taken to implement the item and when these steps will be completed.
Putting It All Together
Once you have your SSP and POAM, you are ready to submit your self-assessment on the Supplier Performance Risk System (SPRS).
DoD has published an Assessment Methodology for 800-171 provides a Scoring Template so that you can assess your cybersecurity practices and get your self-assessment score. Once you have your score, refer to DoD’s Quick Entry Guide for assistance with submitting your self-assessment score.
If you are not sure if your SSP is ready for the self-assessment, consultants, such as IBSS, can evaluate the implementation of the controls or even develop the plan, if needed, to help prepare you for the self-assessment.
Next Up
So far, I have covered the requirements and why they are important, and I have alluded to trends in upcoming federal contracts. Next, I will tell you how these requirements are starting to show up as requirements in contract vehicles.
