RESOURCES
NEW eResilience article on supply chain cyber compliance risk published in September issue of NCMA Contract Management Magazine
The September 2023 issue of Contract Management magazine features an article from eResilience focused on supply chain cyber risk management. Download (NCMA members can view the article online by logging in to see the complete September issue at "https://ncmahq.org/Web/Web/Insights/Contract-management-Magazine.aspx") This article appeared in the September 2023 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission.
CMMC 2.0: Level 1 Self-Assessment Guide
The DoD has released the new Assessment Guide for CMMC 2.0 Level 1. This document provides guidance for companies to correctly perform their Level 1 self-assessments, which must be conducted annually, reported to SPRS, and affirmed by a senior company official when contracts require CMMC 2.0 Level 1. Link | Download
CMMC Level 1 and Level 3 Assessment Guides
The CMMC Assessment Guide for Level 3 provides information about the assessment objectives and types of evidence that assessors will need to review in order to validate the successful implementation of CMMC practices and processes. Link| Download (Level 1) Link | Download (Level 3)
NIST SP 800-172 “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”
NIST 800-172 prescribes enhanced security requirements designed to further protect Controlled Unclassified Information (CUI) from advanced persistent threats by protecting the confidentiality, integrity, and availability of that information on nonfederal information systems associated with critical programs or high value assets. This publication does not replace NIST SP 800-171, but creates additional security requirements that will need to be implemented for selected systems. Link | Download
Update: NIST SP 800-171 DoD Assessment Methodology Version 1.2.1
The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote "virtual" assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place. Link | Download
Updated DoD Instruction 8582.01 (December 9, 2019)
The newly updated DoD Instruction 8582.01 replaces the previous version issued June 6th, 2012. This instruction comes from the office of the Chief Information Officer of the Department of Defense, to establish policies, assign responsibilities, and provide directions for managing security on all non-DoD systems that store or process any non-public DoD information, including CUI Link |Download
National Archives Controlled Unclassified Information (CUI) Registry – CUI Categories List
The CUI registry helps you understand what type of information is considered sensitive. There are many types and categories of CUI, and the registry provides descriptions as well as information and resources about marking and dissemination controls. Link
Memorandum: NIST SP 800-171 DoD Assessment Methodology v1.0 (November 14, 2019)
This Memo and associated document describes the new DoD Assessment Methodology that includes both a scoring system to establish an overall score based on the number of requirements that have been successfully implemented, as well as a confidence rating of Basic, Medium, or High depending on the type of assessment / attestation conducted in determining the score. Link | Download
DCMA Contractor Purchasing System Review (CPSR) Guidebook (June 14, 2019)
This is the most recent update of the DCMA Guidebook for auditors conducting Contractor Purchasing System Review (CPSR). APPENDIX 24, starting on Page 97, includes instructions to evaluators on how to assess contractor compliance with DFARS / NIST Cybersecurity regulations and requires contractors to demonstrate how they are tracking and assessing the compliance of their suppliers. Link | Download
Memorandum from the Office of the Under Secretary of Defense: Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (November 6, 2018)
NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information (June 2018)
This is the government’s Special Publication that provides guidance for assessing compliance with NIST 800-171. The 171A guidance describes what evidence is needed and how to conduct a total of 320 objective tests to be used for validating successful implementation of the 110 security requirements of NIST 800-171. Link | Download
Updated DFARS Frequently Asked Questions (rev 1): FAQs regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76 (April 2, 2018)
This important set of FAQs provides the Government’s clarifications and answers to many questions from industry about how to interpret the clause and what the Government’s expectations are regarding cost recovery, supply-chain flow-down, and other key issues. Link | Download
- Original version with highlights: Download
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016)
This cybersecurity safeguarding clause is now in all DoD contracts other than purely commercial off-the-shelf procurements, and says that at a “minimum”, contractors must implement NIST 800-171 requirements in order to provide “adequate security” if they store or handle Covered Defense Information (CDI). Link
