.png)
COMPLIANCE & REMEDIATION SERVICES
Stay in the Know
The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017.
When you are ready to accelerate becoming DFARS 252.204-7012 compliant. We deliver comprehensive DFARS 252.204.7012 compliance readiness assessments, compliance remediation consulting and certification support.
_jfif.jpg)
DFARS 252.204.7019
Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 7019, if included in your RFIs, RFPs, contracts, purchase orders, task orders, or delivery orders, requires you to have a current assessment (not more than 3 years old) of your NIST 800-171 compliance on file with the Supplier Performance Risk Management System (SPRS). You cannot take award of work with this clause without a current record in SPRS.
DFARS 252.204-7020
NIST SP 800-171 DoD Assessment Requirements
DFARS 7020 defines three types of assessments pursuant to DFARS 7019: A basic assessment, medium assessment, and high assessment. All three assessments must be performed according to the DoD DCMA DIBCAC Assessment Methodology and weighted scoring system. A basic assessment is a self-assessment performed by the DIB contractor. Medium and high assessments can only be performed by the Defense Contract Management Agency's (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) personnel using NIST 800-171A.
DFARS 252.204-7021
Cybersecurity Maturity Model Certification Requirements
DFARS 7021 is the anticipated Cybersecurity Maturity Model Certification (CMMC) clause. When 7021 is included in solicitations, you must have a current CMMC certification to take award of the work. The CMMC certification ecosystem is expected to go online in early 2021 and inclusion of 7021 in contracts will occur through September 2025.
Contractors must flow down the entirety of DFARS 7012, DFARS 7020, and "the substance" of DFARS 7021 to their Tier 1 subcontractors. Effective November 30, 2020, subcontractors receiving CUI must not be awarded work unless they have either a current assessment on file with SPRS under DFARS 7019/7020 or a current CMMC certification. The contractor's responsibility is to uphold these flowdown requirements, and contractors will be held responsible for their performance.
The Risk Management Framework is a United States federal government policy and standards to help secure information systems (computers and networks) developed by National Institute of Standards and Technology.