SysArc’s primary aim is to provide DoD suppliers with Cybersecurity Maturity Model Certification (CMMC) readiness services and solutions, which is why we have dedicated our efforts to finding affordable, easy-to-implement solutions for our clients. The solutions we offer—including PreVeil’s Encrypted Email and File Sharing Solution—are always designed to not only help your business pass compliance controls set forth in NIST 800-171, DFARS, and CMMC but also significantly reduce the risk of cyber attacks.

CEO of SysArc, Tim Brennan, says, “We are constantly seeking out best-in-class solutions for our customers to ensure they are prepared to meet CMMC regulations and other compliance requirements. PreVeil is one of the services we recommend because it meets our high standard of affordability and simplicity when it comes to implementation.”

With PreVeil, our customers get significant compliance support around email and file sharing for a lower cost, because there are no migration project costs involved and the service only needs to be implemented for users within the organization who handle CUI. In addition, we can easily implement the PreVeil Email & Drive service without the headache of migrating every email and file for all users, as is required with alternative products.

“A simpler, more affordable alternative to GCC High”

For an In-Depth Look: Download our CMMC Encrypted Email & File Storage White Paper

• Name*
• Company*
• Phone*
• Email*
• Email
  This field is for validation purposes and should be left unchanged.

Δ

“Our email and file encryption solution is a simpler, more affordable alternative to GCC High” -SysArc Cybersecurity Team

With its unique end-to-end encryption, PreVeil provides a higher level of IT security that protects your data, even if systems become breached or compromised. Our ability to easily implement such a highly valuable service at a reasonable cost makes it even more worthwhile for our customers. With such advantages, we are proud to recommend PreVeil as a reliable service for DoD suppliers who wish to optimize their security and achieve cybersecurity compliance.

For an in-depth look into how the PreVeil solution helps DoD suppliers meet the email and file encryption requirements of DFARS & CMMC, please contact a SysArc consultant today to schedule a demo.

Since the passing of the Defense Acquisition Federal Regulation Supplement (DFARS), many U.S. Department of Defense (DoD) suppliers have already implemented the NIST SP 800-171 (Rev. 1) cybersecurity controls required by the mandate.

However, with the upcoming release of Cybersecurity Maturity Model Certification (CMMC), many DoD contractors are concerned if they are properly prepared for certification with the implementation of NIST 800-171 (Rev. 1), and which CMMC maturity level that most closely resembles. This article aims to clear up some of that confusion and ease DoD supplier concerns.

Please note that the information presented in this article is based on draft version 0.7 of CMMC. We will update this article as the Office of the Under Secretary of Defense for Acquisition & Sustainment releases updated versions of CMMC.

NIST SP 800-171 Rev. 1 Closely Resembles CMMC Level 3

As outlined in the table graphic below, NIST SP 800-171 (Rev. 1) security controls (plus an additional 21 recently added “practices”) should be sufficient to certify contractors up to CMMC Level 3.

Will CMMC Level 3 Be Enough for Your Company?

The DoD has stated that they believe that CMMC Levels 1-3 will sufficiently cover 95% of DoD contract requirements. If level 4 and 5 are required, contractors will need to implement additional controls including NIST SP 800-171 (Rev. B) plus an additional 24 practices to be certified at those levels.

Getting Help

If your company needs help implementing NIST SP 800-171 Rev. 1 controls, or the additional controls in Rev. B, we can help. We have helped over 50 DoD contractors throughout the world navigate the complexities and financial hurdles of the NIST requirements. We have worked closely with our customers to ensure they are compliant with DFARS 252.204-7012 and now we are working with them to achieve the CMMC certification level they need to be competitive in the industry. For more information, please visit our CMMC Readiness Page. If you’d like to speak with someone about preparing for a CMMC audit now, feel free to give us a call at (240) 453-4146 or schedule a CMMC Readiness Consultation now.

In a recent letter to the U.S. Department of Defense (DoD), SysArc, a U.S. based Managed Security Service Provider (MSSP), advocates on behalf of private DoD suppliers for a streamlined and cost-effective process for suppliers to comply with the Government’s mandated cybersecurity standards.

Since 2017, SysArc has focused primarily on helping small and mid-size DoD suppliers across the U.S. implement cybersecurity programs in their organizations in order to comply with DFARS / NIST 800-171 and, more recently, with the upcoming Cybersecurity Maturity Model Certification (CMMC). CMMC builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. SysArc’s dedicated team of cybersecurity experts have consulted with hundreds of DoD suppliers and gained a wealth of knowledge about the current challenges faced by these companies. The vast majority of the feedback they received from suppliers were concerns about the perceived costs associated with compliance and the complexity of deciphering the NIST 800-171 controls in order to understand exactly what it takes to meet the compliance standards.

To overcome these challenges, SysArc has worked over the last 3 years to significantly reduce the cost and complexity of getting companies to compliance by refining the assessment and remediation processes it uses to assist suppliers on compliance. This is what makes SysArc qualified to advocate on behalf of its DoD supplier customers and provide written comments regarding the Draft CMMC v0.4. SysArc will be doing the same when Draft CMMC Model v0.6 is released for public review in November 2019.

SysArc’s comments to the DoD with regards to the Draft CMMC v0.4 are summarized as follows:

1. Ensure that the CMMC standards that many suppliers have already been working on (110 security controls of NIST 800-171) don’t change significantly or at all. Keeping the standards relatively the same will ensure suppliers can bid on 80-90% of DoD contracts and not have to incur additional costs by adding or modifying current controls.
2. Provide advanced guidance to suppliers, before they go to get certified, on the CMMC Levels they are likely going to need to achieve in order to compete for the type of business they typically go after.
3. Reduce technical jargon by using natural language where possible and to define some of the time constraints in the controls more definitively.
4. Refrain from moving security controls from higher Levels of CMMC compliance to lower Levels, which makes it more difficult for suppliers to achieve compliance.

For more information about the Cybersecurity Maturity Model Certification and the Levels within it, please see SysArc’s guide to CMMC compliance written for DoD suppliers.

With the rollout of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) requiring U.S. DoD contractors to become certified by meeting an appropriate level of cybersecurity standards, many DoD contractors are concerned with how they’ll pay for the costs associated with updating their systems and procedures.

Luckily, the DoD has announced that the costs to prepare for CMMC certification will be considered an “allowable cost.” Allowable costs are expenses specified in a contract that can be billed to the DoD. According to the CMMC website FAQ, “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP). This means that DoD contractors will now be able to get reimbursement for CMMC Assessment and Preparation Services as well as the remediation work that needs to be done to meet the appropriate level of cybersecurity controls specified in each contract.

This comes as great news for U.S. companies, many of whom have struggled to navigate the hurdles of complying with DoD cybersecurity mandates over the last few years.

For more information on the CMMC and how to prepare for a CMMC Audit, see our Guide to CMMC preparation written specifically for DoD contractors. If you would like to speak with an expert now, please feel free to give us a call at (800) 481-1984 or schedule a CMMC consultation now.

As the Department of Defense begins to crack down on the cybersecurity posture of its supply chain, ensuring compliance with the DFARS mandate and the National Institute of Standards and Technology (NIST) SP 800-171 specifically is becoming a top-of-mind concern for both technical and business side leaders. DoD contractors need to understand that 800-171 compliance is no longer about securing their own organization – but stopping infiltration of an entire node of federal agencies. Many manufacturers and contractors are faced with the challenge of allocating resources for these security requirements. While they may have achieved the necessary compliance standards in the time since the mandate went into effect, ensuring that the necessary audit trail and documentation is readily available is a completely different matter.

What is DFARS and NIST SP 800-171?

The federal government relies on external services to help carry out a wide range of federal missions as well as business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” With that being said, the contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information. If any contractor fails to do so, they can inevitably lose their contracts.

The document details requirements for protecting Controlled Unclassified Information (CUI) when:

• The CUI is resident in nonfederal information systems and organizations
• The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
• Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry
• In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, now the protection is extended to the unclassified systems that include covered defense information, which creates wider-reaching consequences for the contractors. Being compliant can determine the future of businesses.

There are fourteen families of security requirements to be SP 800-171 compliant to protect the confidentiality of CUI in nonfederal information:

• Access Control
• Audit and Accountability
• Awareness and Training
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical Protection
• Personnel Security
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

The Challenge Facing Many DFARS Contractors

Especially as the DoD moves out of a self-certification approach to ensuring 800-171 compliance, contractors need to ensure that they have resources consistently dedicated cyber. For many of these contractors that are not primes, the problem becomes resource constraints. Often, having an in-house compliance and risk team means creating an in-house compliance and risk team. Whether a contractor has an assigned information security team already in place or if they are exploring their options, DFARS compliance is too pertinent to wait. In many cases, outsourcing is a far more viable and economic option to achieve DFARS compliance and ensure that the SP 800-171 requirements are met.

Outsourcing DFARS Compliance

As we’ve said, meeting NIST 800-171 requirements is primarily about resource allocation – both time and money. For a majority of contractors, the most cost-efficient method to reaching and maintaining DFARS compliance is through a managed service provider. By supplementing your organization with a trusted outside security team, you can save your in-house resources for the necessary aspects of your business and spare months of training and a massive investment developing your own program.

By using a service provider that uses an AI backed solution like the CyberStrong platform, contractors also get the added benefit of scaling beyond the baseline of DFARS compliance. As more compliance requirements emerge and cyber risk becomes a greater concern for CEOs and the Board across all industries, having a solid foundation to build upon is a critical step. Augmenting your organization with a specialized information security team helps you scale faster and ensure that your business and revenue is secure.

This guide was written to help DoD contractors and subcontractors quickly understand what is required of them to take proper action after they either suspect or discover a cyber incident on their information systems in compliance with DFARS regulations.

If you need information about how to protect yourself from cyber incidents, rather, please see our guide on NIST 800-171 for DFARS Compliance.

What is a Cyber Incident?

According to section 252.204-7012 of DFARS Documentation, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on a DoD contractor’s information system and/or the information residing therein.” This broad definition includes actions that are taken by DoD contractors or subcontractors internally, and unauthorized outsiders, such as cyber criminals or foreign actors.

In simple terms, a cyber incident is any action taken, either internally or externally, that results in the compromise or potential compromise of a DoD contractor’s information system.

How to Know if There’s a Cyber Incident

Part of the DFARS regulation requires DoD contractors and subcontractors to implement and utilize cyber security monitoring tools. These tools may or may not have been implemented by your internal IT department, outsourced IT service provider, or a Managed Security Service Provider (MSSP) like SysArc. These monitoring tools would alert you of any compromise or attempt to compromise your information systems.

How to Report a Cyber Incident to the DoD

According to DFARS 204.7301 definitions, a cyber incident must be “rapidly reported” within 72 hours of your discovery of the incident. 204.7302 policy then states that DoD contractors and subcontractors must submit the following information via the DoD reporting website:

1. A cyber incident report;
2. Malicious software, if detected and isolated; and
3. Media (or access to covered contractor information systems and equipment) upon request.

What information goes in the incident report?

DoD Contractors that are not providing Cloud Services

On the DIBNet Portal website, DoD contractors, except those providing cloud services, are required to submit as much as the following 20 items of information as possible:

1. Your company name
2. Company point of contact information (address, position, telephone, email)
3. Data Universal Numbering System (DUNS) Number
4. Contract number(s) or other type of agreement affected or potentially affected
5. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
6. USG Program Manager point of contact (address, position, telephone, email)
7. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
8. Facility CAGE code
9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
10. Impact to Covered Defense Information
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
14. Incident location CAGE code
15. DoD programs, platforms or systems involved
16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
17. Description of technique or method used in cyber incident
18. Incident outcome (successful compromise, failed attempt, unknown)
19. Incident/Compromise narrative
20. Any additional information

DoD Contractors that are providing Cloud Services

For DoD Contractors providing Cloud Services on behalf of the Department of Defense, the DoD requires you to submit the following 16 items of information:

1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
2. Contact information for the impacted and reporting organizations as well as the MCND
3. Details describing any vulnerabilities involved (i.e., Common Vulnerabilities and Exposures (CVE) identifiers)
4. Date/Time of occurrence, including time zone
5. Date/Time of detection and identification, including time zone
6. Related indicators (e.g. hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
8. Prioritization factors (i.e. functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines)
9. Source and Destination Internet Protocol (IP) address, port, and protocol
10. Operating System(s) affected
11. Mitigating factors (e.g. full disk encryption or two-factor authentication)
12. Mitigation actions taken, if applicable
13. System Function(s) (e.g. web server, domain controller, or workstation)
14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
16. Any additional information relevant to the incident and not included above

Do you need further assistance?

For DoD contractors who need further consultation, please feel free to give us a call at (866) 583-6946, or read about our NIST 800-171 Services. We help DoD contractors and subcontractors all over the United States comply with DFARS using the NIST 800-171 cyber security framework.  

We work with the Department of Defense (DoD) Contractors all over the United States and help them navigate the complexities of DFARS and NIST 800-171 compliance. One of the most common questions we get asked is what is meant by “Adequate Security” in the compliance requirements. “Adequate Security” is extremely vague, so it’s no wonder DoD Contractors have trouble understanding whether their current information security is adequate or not. We seek to clear up this confusion in this article.

Making Sense of The Official Language

According to section 252.204-7012 of DFARS documentation, “Adequate security” means protective measures that are put in place to mitigate the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. The documentation proceeds to list out two scenarios for DoD Contractors and then provides the guidelines on protective measures for adequate security.

These scenarios are:

1. Contractors that have information systems that are not part of an Information Technology (IT) service or system operated on behalf of the Government, and;
2. Contractors that have information systems that are part of an IT service or system operated on behalf of the government

Scenario 1: Contractors with IT Systems that are not a part of or operated on behalf of the Government

For Contractors with IT Systems that are not part of an IT service or system operated on behalf of the Government, the information system must adhere to the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (or NIST SP 800-171), at the time the contract solicitation is issued or as authorized by the Contracting Officer.

Complete documentation on NIST SP 800-171 controls is available here. If you need help implementing these controls, please see our NIST compliance services.

Scenario 2: Contractors with IT Systems a part of or operated on behalf of the Government

For Contractors with IT Systems that are part of an IT service or system operated on behalf of the Government, the requirements for adequate security are:

1. Cloud Computing Security
• If the Contractor indicated in its offer that it “does not anticipate the use of cloud computing services in the performance of a resultant contract,” in response to provision 252.239-7009, and after the award of this contract, the Contractor proposes to use cloud computing services in the performance of the contract, the Contractor shall obtain approval from the Contracting Officer prior to utilizing cloud computing services in performance of the contract.
• The Contractor shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG), unless notified by the Contracting Officer that this requirement has been waived by the DoD Chief Information Officer.
• The Contractor shall maintain within the United States or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location, in accordance with DFARS 239.7602-2(a).
2. Any other such IT service or system (other than cloud computing) shall be subject to the security requirements specified in scenario 1 above.

DFARS Consultants are Available to Help

If you are a DoD Contractor and have any questions about DFARS and NIST SP 800-171, feel free to give us a call at: (866) 583-6946. Our DFARS Compliance specialists are happy to assist you in navigating the challenges of DFARS, and help you implement the security controls detailed in NIST SP 800-171.

Broadly speaking, the U.S. Government defines Controlled Unclassified Information (CUI) as any information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.

But how does this broad definition apply to Department of Defense (DoD) Contractors? More specifically, what is CUI with regards to the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171? This short article will answer these questions for DoD Contractors.

CUI That Concerns DoD Contractors

As described in the CUI registry, CUI that pertains specifically to the DoD is known as Covered Defense Information. Covered Defense Information includes:

• Controlled Technical Information and;
• Contractor Attributional/Proprietary Information

Controlled Technical Information

According to section 252.204-7012 of DFARS Documentation, Controlled Technical Information means technical information with military or space application.

Examples of technical information include: research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Contractor Attributional/Proprietary Information

The second type of Covered Defense Information is Contractor Attributional/Proprietary Information. According to 252.204-7012, this information identifies the contractor, whether directly or indirectly, by the grouping of information that can be traced back to the contractor (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.

Protecting CUI

DFARS Policy 204.7302 states that Covered Defense Information is to be protected and monitored on the DoD Contractor’s information system(s), as well as the Department of Defense’s systems. Contractors are also required to rapidly report cyber incidents (actual or potentially compromised information) within 72 hours to the Department of Defense here.

More Guidance on CUI and How to Protect It

If you are a DoD Contractor and have any questions about CUI and how to protect it, feel free to give us a call at: (866) 583-6946. Our DFARS Compliance specialists are happy to assist you in navigating the challenges of DFARS, and help you implement the security controls detailed in NIST SP 800-171.