The Defense Contract Management Agency is planning to evaluate information submitted by contractors on their compliance with NIST Special Publication 800-171 to get a better understanding of whether the defense industrial base is meeting the current standard for handling sensitive data.
The Pentagon established a process in 2020 through an interim final rule requiring companies to submit their scores for compliance with NIST Special Publication 800-171 to the Defense Department through the Supplier Performance Risk System.
The process was intended to be a placeholder while DOD rolled out the Cybersecurity Maturity Model Certification program over a five-year period. However, the program has faced significant delays including a revamp under new Pentagon leaders installed by the Biden administration.
The score is based on the "Medium" assessment from the NIST SP 800-171 DOD Assessment Methodology, which was created in 2019 when DCMA’s Defense Industrial Base Cybersecurity Assessment Center started conducting voluntary assessments of defense contractors against the NIST standard.
DIBCAC’s Nick DelRosso explained how the survey will work Tuesday at a CMMC Accreditation Body “Town Hall” meeting. DelRosso said the DIBCAC will ask for a company’s system security plan and “any associated documentation.”
“We perform a check through the SSP and make sure you are likely complying based on what you are saying,” DelRosso said, emphasizing that the DIBCAC isn’t “actually going out and verifying the implementation” of the SSP. He said they are “just making sure” the implementation paperwork is in place for each score.
“At the DIBCAC, we work with many program offices across the government," DelRosso said. "We work with different entities that are finding a particular interest in cyber and they are doing a lot of looking at trying to understand how compliant the DIB is with some of these requirements. Working with our partners, we will be examining companies that have self-assessed at a variety of score levels based on their SPRS input.”
“We think it will give us a good survey of the DIB and get an understanding of the level of compliance out there within the DIB and help inform some metrics within DOD to determine that level of compliance,” DelRosso said. The DIBCAC will look for “patterns” that can be identified based on a score, DelRosso said, and they are considering looking into “different sectors of the DIB” to determine if there are sector-specific issues.
The DIBCAC is currently conducting CMMC level two assessments for certified third-party assessment organizations. There are eight companies on the CMMC-AB marketplace and the DIBCAC has several assessments scheduled throughout the rest of 2022.