Final Publications - eResilience

RESOURCES

NEW eResilience article on cyber assurance for prime contractor bidding teams

A new Contract Management magazine article from eResilience discusses supply chain cyber compliance risk and explores issues and strategies that prime contractors should be aware of when sharing CUI with suppliers and subcontractors. This article appeared in the August 2024 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission. Link | Download

NEW Briefing: Appropriate Use of CUI in the DoD

The DoD Office of the Undersecretary of Defense for Intelligence and Security (I&S) released a set of briefing slides providing information on DoD implementation of the CUI program. Link | Download

NEW DoD issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems

The DoD has issued a Class Deviation to modify the DFARS 252.20 4-7012 clause so that instead of requiring CUI-handling contractors to implement specifically NIST SP 800-171 Revision 2 instead of "the version of NIST SP 800-171 in effect at the time the solicitation is issued". This means the CMMC program will continue to use 171 R2 as the underlying standard for compliance even after 171 R3 becomes final. The class deviation is effective immediately and will remain in effect indefinitely, until rescinded. Link | Download

NEW eResilience article on supply chain cyber compliance risk published in September issue of NCMA Contract Management Magazine

The September 2023 issue of Contract Management magazine features an article from eResilience focused on supply chain cyber risk management. Download (NCMA members can view the article online by logging in to see the complete September issue at "https://ncmahq.org/Web/Web/Insights/Contract-management-Magazine.aspx") This article appeared in the September 2023 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission.

CMMC 2.0: Level 1 Self-Assessment Guide

The DoD has released the new Assessment Guide for CMMC 2.0 Level 1. This document provides guidance for companies to correctly perform their Level 1 self-assessments, which must be conducted annually, reported to SPRS, and affirmed by a senior company official when contracts require CMMC 2.0 Level 1. Link | Download

CMMC Level 1 and Level 3 Assessment Guides

The CMMC Assessment Guide for Level 3 provides information about the assessment objectives and types of evidence that assessors will need to review in order to validate the successful implementation of CMMC practices and processes. Link| Download (Level 1) Link | Download (Level 3)

Limited Dissemination Control (LDC) Markings: Quick Reference Guide

The DoD has released a list of the new Limited Dissemination Control (LDC) Markings and descriptions of what each marking means. Link | Download

NIST SP 800-172 “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”

NIST 800-172 prescribes enhanced security requirements designed to further protect Controlled Unclassified Information (CUI) from advanced persistent threats by protecting the confidentiality, integrity, and availability of that information on nonfederal information systems associated with critical programs or high value assets. This publication does not replace NIST SP 800-171, but creates additional security requirements that will need to be implemented for selected systems. Link | Download

UPDATE: DFARS Frequently Asked Questions (rev 3): FAQs regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76

This update to the DFARS Cyber FAQs provides important new information and answers to additional questions. Link | Download

Update: NIST SP 800-171 DoD Assessment Methodology Version 1.2.1

The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote "virtual" assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place. Link | Download

NIST SP 800-171 Revision 2/Final, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (February 21, 2020)

This is the final release of NIST SP 800-171 Rev. 2, which supersedes the previous SP 800-171 Rev.1. Revision 2 includes minor editorial changes but does not change the basic or derived security requirements. Link | Download

Updated DoD Instruction 8582.01 (December 9, 2019)

The newly updated DoD Instruction 8582.01 replaces the previous version issued June 6th, 2012. This instruction comes from the office of the Chief Information Officer of the Department of Defense, to establish policies, assign responsibilities, and provide directions for managing security on all non-DoD systems that store or process any non-public DoD information, including CUI Link |Download

National Archives Controlled Unclassified Information (CUI) Registry – CUI Categories List

The CUI registry helps you understand what type of information is considered sensitive. There are many types and categories of CUI, and the registry provides descriptions as well as information and resources about marking and dissemination controls. Link

Memorandum: NIST SP 800-171 DoD Assessment Methodology v1.0 (November 14, 2019)

This Memo and associated document describes the new DoD Assessment Methodology that includes both a scoring system to establish an overall score based on the number of requirements that have been successfully implemented, as well as a confidence rating of Basic, Medium, or High depending on the type of assessment / attestation conducted in determining the score. Link | Download

- NIST SP 800-171 DoD Assessment Methodology v1.0 Document: Link | Download

DCMA Contractor Purchasing System Review (CPSR) Guidebook (June 14, 2019)

This is the most recent update of the DCMA Guidebook for auditors conducting Contractor Purchasing System Review (CPSR). APPENDIX 24, starting on Page 97, includes instructions to evaluators on how to assess contractor compliance with DFARS / NIST Cybersecurity regulations and requires contractors to demonstrate how they are tracking and assessing the compliance of their suppliers. Link | Download

Memorandum from the Office of the Under Secretary of Defense: Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (November 6, 2018)

This memo notifies contracting officers of the release of the final versions of two important procurement guidance documents that provide instructions on how to assess contractor compliance with DFARS 7012 requirements, as an evaluation factor for new contract awards. Link | Download

- Guidance for Assessing of and Enhancing Protections for a Contractor's Internal Unclassified Information System: Link | Download
- DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented: Link | Download

NIST SP 800-171 Revision 1, Including Updates as of Jun 7, 2018 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

This set of 110 NIST security requirements is derived from NIST 800-53, a broader set of standards used for protecting CUI on Federal systems. Link | Download

NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information (June 2018)

This is the government’s Special Publication that provides guidance for assessing compliance with NIST 800-171. The 171A guidance describes what evidence is needed and how to conduct a total of 320 objective tests to be used for validating successful implementation of the 110 security requirements of NIST 800-171. Link | Download

Updated DFARS Frequently Asked Questions (rev 1): FAQs regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76 (April 2, 2018)

This important set of FAQs provides the Government’s clarifications and answers to many questions from industry about how to interpret the clause and what the Government’s expectations are regarding cost recovery, supply-chain flow-down, and other key issues. Link | Download

- Original version with highlights: Download

DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016)

This cybersecurity safeguarding clause is now in all DoD contracts other than purely commercial off-the-shelf procurements, and says that at a “minimum”, contractors must implement NIST 800-171 requirements in order to provide “adequate security” if they store or handle Covered Defense Information (CDI). Link

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_gat_gtag_UA_136970874_1	1 minute	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description