Since 2017, DoD DIB providers have been obliged to adhere to contractual clause DFARS 252.204-7012. The NIST SP 800-171 R2 Protecting CUI in Nonfederal Systems and Organizations standards kick in when you’ve met those standards. Given that this DFARS (clause 252.204.7012) standard has existed since 2017, the number of DoD contractors who are still not compliant is astonishing. As a result, beginning December 1, 2020, the Department of Defense began using a “trust but verify” strategy by requiring contractors to upload their self-assessment and self-attestation findings into a DoD system, the Supplier Performance Risk System (SPRS), or provide them by email.
Here, we have compiled a few methods to carry out the DFARS compliance initiative.
You must undertake a self-assessment of conformity with NIST SP 800-171 R2 and earn a score when conforming with DFARS 252.204-7019. The highest point total is 110. Because each check is given a NIST SP 800-171 A rating, you must be familiar with the scoring methodology. A score weight is assigned to each condition. A rating of 1 is given for completely resolving a control. A value of 0 or even a negative score is given if regulatory criteria are not met. A high score is 110; however, you can also have a negative total score. Procurement officers use the SPRS to evaluate your adherence data in order to assess your organization for an award.
If you are a vendor or subcontractor processing and storing controlled unclassified information, you should let your prime contractor know about the CUI and compliance regulations.
DoD Assessment Methodology
NIST 800-171 and NIST 80-171A are two standards developed by the National Institute of Standards and Technology. It contains a total of 14 Families of Security Controls.
There are 14 control families (also known as categories) of security criteria in NIST 800-171 R2, with a total of 110 measures that must be self-assessed. You must create a System Security Plan (SSP) at the moment of self-assessment to demonstrate how your firm adheres to the criteria. If any controls aren’t being followed, just record them on a Plan of Actions and Milestones (POA&M) form, along with a schedule for when you’ll comply. SSP and POA&M templates are available on the NIST website.
NIST 800-171 R2 Requirements and CMMC
You are on the right track to CMMC level 3 compliance if you follow both NIST 800-171 R2 and DFARS 252.204-7019. Your first priority is to score and submit to SPRS. The following is a list of documentation you will require:
- NIST SP-800-171 R2 self-assessment criteria, SSP, and POAM&M layouts
- Evaluating Security Requirements for CUI (NIST SP-800-171)
- Control Scoring (NIST SP-800-171) is a publication published by the National Institute of Standards and Technology (NIST).
- Procedures for uploading the assessment report and gaining access to SPRS
Whatever you do, be as truthful as possible in your self-evaluation. Make no fraudulent claims, such as professing to adhere when you don’t. False assertions of compliance can result in criminal charges under the False Claims Act. The Department of Defense has utilized the False Claims Act to prosecute contractors. DoD companies are being audited for NIST 800-171 compliance by the Defense Contract Management Agency (DCMA). If you’re found guilty of making a false claim, you might lose your ability to conduct commerce with the US government, as well as face additional financial consequences.