RESOURCES
NEW Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities
The DoD released a final rule that revises eligibility criteria for the voluntary DIB Cybersecurity Program, allowing all contractors who handle CDI (DoD CUI) to benefit from bilateral information sharing, which was previously available only to cleared contractors. This ruling also replaces the need for a Medium Assurance Certificate to access the DIBNet portal for cyber incident reporting by allowing registration for DIBNet access through the Procurement Integrated Enterprise Environment (PIEE). Link | Download
Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012
The DoD has circulated this Memo to contracting officers to remind them of contractor cyber compliance requirements and emphasize penalties that can be levied against non-compliant contractors. Link|Download
DoD Inspector General Report: Audit of the Protection of Military Research Information and Technologies Developed by Department of Defense Academic and Research Contractors
The DoD Office of the Inspector General released the findings of an audit regarding NIST 800-171 compliance among DoD research contractors and academic institutions, finding that the protection of CUI is not adequate and that contracting officers must increase the emphasis on compliance. Link | Download
NIST SP 800-172 “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”
NIST 800-172 prescribes enhanced security requirements designed to further protect Controlled Unclassified Information (CUI) from advanced persistent threats by protecting the confidentiality, integrity, and availability of that information on nonfederal information systems associated with critical programs or high value assets. This publication does not replace NIST SP 800-171, but creates additional security requirements that will need to be implemented for selected systems. Link | Download
Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
The DoD has issued an interim rule to amend the DFARS cybersecurity regulations to implement a DoD Assessment Methodology and Cybersecurity Maturity Model (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Comments on the interim rule should be submitted in writing on or before 60 days after date of publication in the Federal Register.) Link | Download
Update: NIST SP 800-171 DoD Assessment Methodology Version 1.2.1
The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote "virtual" assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place. Link | Download
NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information (June 2018)
This is the government’s Special Publication that provides guidance for assessing compliance with NIST 800-171. The 171A guidance describes what evidence is needed and how to conduct a total of 320 objective tests to be used for validating successful implementation of the 110 security requirements of NIST 800-171. Link | Download
