Even if cybersecurity isn’t your expertise, knowing a bit about it can work wonders for your business. This is especially true if you’re working within the Defense Industrial Base. If you’re reading this, you likely already know that the Department of Defense requires you to comply with strict cybersecurity standards. However, it is not always easy to sort through all of the jargon, acronyms, and information. Even more so, it can be difficult to know how exactly to put the necessary protections in place for your systems. Working with a compliance management service can help ease this burden, and ultimately save you time and money. Still, you’ll be in a better position to seek assistance if you understand these key concepts about cybersecurity for DoD contractors.
Table of Contents
Controlled Unclassified Information
The DoD’s cybersecurity regulations are designed to create a uniform standard for handling Controlled Unclassified Information of CUI across the Defense Industrial Base. Simply put, when you supply goods or services to the defense department, you will be required to protect information like financial documents and technical drawings. Since CUI is not classified nor top secret, it is of great interest to adversarial groups like foreign nations, terrorist groups, and criminals. CUI provides them relatively easy access to information that might compromise the US military operations or security. In order to ensure that this information remains secure, the Defense Department implemented a statute known as the Defense Federal Acquisition Regulation Supplement.
The Defense Federal Acquisition Regulation Supplement
The Defense Federal Acquisition Regulation Supplement or DFARS is the legal framework that houses the cybersecurity standards you must comply with in order to fulfill your contracts. So, what is dfars compliance exactly? The statute mandates that your cybersecurity network has adequate security features as defined in a document called NIST 800-171. It also requires that you report any cybersecurity breaches to the DoD and provide them with regular updates for 90 days. The latter point is rather simple and self-explanatory. The former however requires more explanation.
NIST 800-171 stands for National Institute of Standards and Technology Special Publication 800-171. This is the document cited in the DFARS that lays out the cybersecurity practices and specifications that are deemed acceptable. NIST 800-171 is made up of 110 standards dispersed across 14 categories. Familiarizing yourself with and implementing these standards is the most critical step in ensuring your network is up to par.
CMMC stands for Cybersecurity Maturity Model Certification. Think of CMMC as the mechanism for verifying your compliance with DFARS according to the standards outlined in NIST 800-171. While it won’t be mandated in every DoD contract until 2025, this added layer of compliance is expected to start phasing into various contracts very soon. Once it is active, you will be required to have a third-party certification service evaluate and verify your compliance with DFRAS via NIST 800-171. CMMC will consist of 5 levels of compliance The terms of your contract, and the nature of your business will determine the level of compliance your systems will need to meet.
While all of the verbiage and acronyms can be confusing, the general concepts are relatively easy to follow. DFARS refers to the legal framework mandating uniform cybersecurity standards to protect CUI across the DIB. NIST 800-171 is the document that DFARS cites to define its cybersecurity standards, and CMMC will be the certification needed to prove your compliance with DFARS according to NIST 800-171. That said, running a business has many moving parts and you may not have time to keep track of it all. If you ever find yourself overwhelmed, a reputable compliance management service will be your guide.