As a prime or sub government contractor, you want to focus on business development. Winning contracts, however, is not just about submitting proposals. Contractors typically focus their attention on strengthening their capabilities, giving minimal thought to creating resilient cybersecurity practices, but this can leave them vulnerable to cyber attacks, which in turn leaves them vulnerable to attacks and also threatens the government supply chain.
The government feels so strongly about cyber threats that new risk management standards are being put in place. Some standards are mandatory, such as the self-assessment for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171), even if the contractor does not provide information technology (IT) services.
Many companies do not know if they need to complete this assessment. The main focus of 800-171 is to secure controlled unclassified information (CUI).
As of November 30, 2020, the latest Department of Defense (DoD) Interim Rule requiring 800-171 self-assessment reporting went into place. The interim rule establishes an amendment to Defense Federal Acquisition Regulation Supplement (DFARS) to implement a “DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework” to better secure the sensitive information present throughout the DoD supply chain. What this means for DoD contractors and those pursuing contracts that require DFARS 252.204-7012 compliance is that they will need to assess their current cybersecurity practices against the 800-171 controls, and then report their findings.
In this series of articles, I will help you understand if your company needs to comply with these standards, whether you are a prime or subcontractor for the federal government. In the next article, I will define CUI and Federal Contract Information (FCI). Then I will look at some examples of CUI. After that, I will dive into 800-171 and the trends contract vehicles are taking to require cybersecurity compliance. My goal is to help you understand and be prepared to succeed in winning contracts with these NextGen cybersecurity compliance requirements.
