Defense Tech companies that seek to maximize their chances of winning government contracts must understand current and future cybersecurity requirements. Specifically, they need to know that there are existing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that mandate NIST SP 800-171 Rev. 2 compliance for certain contracts they’re looking to obtain. To compete for these contracts, Defense Tech companies must also post a NIST SP 800-171 Rev. 2 self-assessment score to the Supplier Performance Risk System (SPRS). Additionally, the more rigorous Cybersecurity Maturity Model Certification (CMMC) process is just around the corner and is expected by most to go into effect early next year. This is why Defense Tech companies need to act today to start their compliance journey. Companies that get ahead of CMMC can enjoy a window of competitive advantage, yet those who fall behind stand to lose out on government contracts and opportunities.
NIST SP 800-171 rev. 2 Overview
Compliance with NIST Special Publication 800-171 Rev. 2, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is currently required in many Department of Defense (DoD) contracts. Developed by the National Institute of Standards and Technology (NIST), this framework provides guidelines on how organizations can safeguard sensitive information that is shared by federal agencies. The publication includes 110 security requirements spread across 14 families, such as access control, incident response, and system and information integrity. These requirements help ensure that non-federal organizations implement adequate security measures to protect Controlled Unclassified Information (CUI) from unauthorized access and cyber threats.
By providing a standardized set of requirements, NIST SP 800-171 Rev. 2 helps to mitigate risks associated with the loss or compromise of CUI, which could have significant national security implications. The guidelines also aim to enhance the overall cybersecurity posture of the defense industrial base (DIB) and other sectors handling federal information.
Compliance with NIST SP 800-171 rev. 2 is mandated by DFARS clauses which may be present in sensitive defense contracts. Key among them is DFARS 252.204-7012, which requires defense contractors to implement the NIST SP 800-171 Rev. 2 security controls to protect CUI and to report any cyber incidents to the DoD. Additionally, DFARS 252.204-7019 requires contractors to submit a current assessment of their NIST SP 800-171 Rev. 2 implementation to the Supplier Performance Risk System (SPRS). The intent of these clauses is to ensure that contractors maintain a minimum level of cybersecurity to ensure information shared by federal agencies is better protected.
SPRS Overview
SPRS is a tool used by the DoD to evaluate the performance and risk profiles of its suppliers. SPRS aggregates data from multiple sources to provide a comprehensive view of a supplier’s performance, including compliance with cybersecurity standards such as NIST SP 800-171 Rev. 2. This system helps the DoD make informed decisions regarding contract awards and supplier management, ensuring that contractors meet necessary performance and security standards.
CMMC Overview
Defense Tech companies must currently comply with the NIST SP 800-171 Rev. 2 and SPRS and should begin preparing for CMMC. CMMC was introduced to address DoD concerns related to rampant nation state data theft and industrial espionage occurring within the DIB. The current CMMC proposal has three maturity tiers. Level 1 is a subset of NIST SP 800-171 Rev. 2. Level 2 is aligned with full NIST SP 800-171 Rev. 2 compliance. Level 3 includes additional advanced security practices. All DIB companies should expect to reach Level 1 compliance. Companies handling CUI will be expected to minimally reach Level 2 compliance.
Making CMMC a Competitive Advantage
CMMC is likely to go into effect early next year. Once in effect, companies will have a defined period of time to become compliant and have a third-party assessment conducted to ensure all requirements are met. Companies first to reach this milestone will have a unique window of competitive opportunity. Forward thinking companies are conducting CMMC gap assessments and shoring up weaknesses. They are also locking in a C3PAO engagement, ensuring they have a spot in line once assessments can proceed. Because there are a limited number of C3PAOs, the line is already getting long. Once the ruling is passed, companies might find themselves many months away from being able to secure an assessment – hence the window of opportunity for companies leaning into CMMC readiness.
Furthermore, just because you have a spot in line for a C3PAO doesn’t mean you will be ready to pass the audit. Implementing the necessary system, infrastructure, and process changes to achieve compliance with NIST SP 800-171 Rev. 2, which CMMC L2 is currently based on, can take six months to a year. There are significant cybersecurity technologies and operational capabilities that companies must bring up and make operational. Some of the costliest and complex include mature capabilities around log management, threat detection, incident response, and vulnerability management. These capabilities require specialized technology and staff that companies must acquire, or they’ll need to select a service provider to whom they can outsource. If going the service provider route, they too must be CMMC compliant.
Conclusion
Defense Tech CEOs need to ensure they are factoring current and future compliance requirements into their overall go-to-market strategy. Failure to understand these requirements can severely impede a company’s ability to compete — today and in the future. Alternatively, getting your company on a path to be NIST SP 800-171 Rev. 2 compliant will ensure you are meeting current requirements and will be ahead of the game when CMMC goes into effect. It would also be wise to start speaking with C3PAOs and consider securing your place in line, to maximize what might be a rare window of extreme competitive differentiation.
About Chris Petersen:
Chris Petersen is a leader and innovator who cares deeply about protecting governments and companies from cybersecurity threats. Chris began his career as a consultant with Price Waterhouse (PwC) and later Ernst & Young (EY). He then joined the first Silicon Valley startup providing Managed Security Services. In 2002, Chris co-founded LogRhythm, a Gartner Magic Quadrant Leader in Security Information & Event Management (SIEM). Currently, Chris is the CEO of RADICL Defense, a stealth-startup protecting organizations from nation state threats. Chris has spoken at conferences across the globe, holds multiple patents, and is an EY Entrepreneur of the Year.
