The need to defend against cyberattacks that threaten U.S. advantages in the military is becoming more and more obvious every day. The Department of Defense (DoD) is intent on better defending the vast attack surface that the Defense Industrial Base (DIB) presents to adversaries and is taking action to do so.
DoD created the framework to unify standards for the implementation of cybersecurity practices and processes throughout the DIB. CMMC is not for just large defense contractors—it will affect nearly every one of the 300,000 companies that do work for the DoD.
While adjustments might be made to the CMMC framework as it’s rolled out—particularly with an eye toward making CMMC certification more affordable for small businesses— it is clear that DoD is standing behind the model. In fact, enforcement of NIST 800-171, which forms the foundation of CMMC Level 3, has significantly stepped up.
CMMC Level 3 certification requires compliance with NIST 800-171’s 110 controls, plus 20 additional controls. Those foundational NIST controls are not changing. In this environment, your company’s best course of action is to focus on complying with NIST 800-171. Doing so now will put your company on a smooth path to CMMC Level 3 compliance when that time comes.
DFARS and NIST 800-171 are in effect now
There is no question that now is the time to make progress on enhancing your company’s cybersecurity. DFARS 252.204-7012 has required implementation of NIST 800-171 controls since late 2017. Now, the recent DFARS Interim Rule requires contractors to not only continue to conduct NIST 800-171 self-assessments, but also to report their self-assessment scores to the DoD’s SPRS (Supplier Performance Risk System).
Specifically, the DFARS Interim Rule stipulates:
- DoD’s NIST 800-171 Assessment Methodology must be adhered to and all contractors who handle CUI must perform at least a Basic level self-assessment.
- Self-assessments will be scored. Scoring starts at a maximum of 110, based on the 110 NIST 800-171 controls. Points will be subtracted for each control not yet implemented.
- Because the DoD’s Assessment Methodology assigns more than one point to some controls, a negative score is possible.
- Self-assessment scores must be filed in the DoD’s SPRS by the time of contract award, and the self-assessment must be maintained for the duration of the contract.
- If their self-assessment score falls below 110, contractors are required to create a POAM and indicate to the DoD by what date the security gaps will be remediated and a score of 110 will be achieved. (Note, however, that POAMS will not be allowed under CMMC.)
- Self-assessments must have been completed within the past three years.
Negative NIST 800-171 scores are possible. The average score of a typical small to midszied defense contractor is -27. By deploying PreVeil, contractors can improve their score by approximately 40 points.
We know that since the DFARS Interim Rule went into effect in late 2020, the DoD has withdrawn contracts to companies that haven’t yet filed their self-assessment score with SPRS. And while the DFARS Interim Rule doesn’t specify minimum self-assessment scores that must be achieved, the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, it stands to reason that the DoD will consider that company to be a higher security risk than an alternative supplier with a better score.
It’s reasonable, too, to expect that primes will consider self-assessment scores when evaluating possible subcontractors with which to work, and that subcontractors with higher scores represent a lower risk and consequently are more likely to win the contract.
PreVeil for DFARS and NIST compliance
PreVeil’s secure email and file sharing platform can help your company quickly raise its NIST 800-171 self-assessment score, get on the path to CMMC Level 3 compliance, and win DoD contracts. Its end-to-end encrypted communications system, in combination with modern end-point controls, protects data resources and CUI at every point in an organization’s communications and collaboration cycle—including, importantly, throughout the supply chain.
In addition, PreVeil fully complies with DFARS 252.204-7012 (c) through (g): its platform is certified as FedRAMP Baseline Moderate and all encrypted customer data is stored on FedRAMP High AWS Gov Cloud.
In short, PreVeil supports compliance with virtually all of NIST 800-171’s requirements related to the communication and storage of CUI. Deploying the platform can help you meet over 80 of the 110 total NIST controls.
PreVeil’s brief, DFARS Self-Assessment: Improving Cybersecurity and Raising Your Score, describes how PreVeil can help your company raise its NIST 800-171 score by nearly 40 points. Your company can achieve particularly large gains in NIST’s Access Control and Systems & Communications Protection domains with PreVeil. The paper’s appendix lists each of NIST 800-171’s 110 controls and shows specifically how PreVeil helps meet them.
Another PreVeil brief, Case Study: How a Defense Contractor using PreVeil Achieved a Near-Perfect NIST 800-171 Score in DIBCAC Audit, details the case of a small- to medium-sized business (SMB) that achieved a near-perfect score on its NIST 800-171 DIBCAC audit after deploying PreVeil. The SMB was able to meet 109 out of 110 controls, placing them among the nation’s top prime contractors for cybersecurity. DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center.
PreVeil: Simple and affordable
PreVeil Drive and Email deploy simply as an overlay system in a matter of hours and is cost effective. It needs to be deployed only to employees who handle CUI, whereas alternatives require deployment across entire companies.
Today hundreds of defense contractors—including many small- to medium-size companies—use PreVeil to comply with DFARS and NIST due to its high security, low cost, simple deployment, and ease of use.
To learn more, contact us at preveil.com/contact or +1 (617) 579-8305.