March 10, 2022

Last Updated on January 18, 2024

CMMC 2.0’s refocusing on NIST 800-171 as the compliance target for US defense industrial base (DIB) orgs that handle Controlled Unclassified Information (CUI) also comes with new attestation requirements. There are still some unknowns in that regard. But one thing that is known is this: whatever attestation scenario you ultimately face, being able to prove ongoing compliance with DFARS 7012 and other clauses in your DoD contract will be business-critical.

To share expert guidance on how defense suppliers can pragmatically embrace continuous compliance as a competitive opportunity (since you’ll have to do it either way), a recent episode of The Virtual CISO Podcast features Andrea Willis, Senior Product Manager at Exostar. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

DFARS 7019 is coming in new and renewing contracts

If your current contract includes a DFARS 7012 clause, as it renews or as additional task orders are issued this will likely be updated to DFARS 7019, Notice of NIST SP 800-171 DoD Assessment Requirements. The new clause unambiguously mandates that you post a NIST 800-171 compliance score to the DoD’s SPRS database.

3 reasons why you need solid compliance to back up your SPRS score

What’s the big deal about posting a score in SPRS? The number you attest to is a claim to the market about what you offer. This puts your company and your senior leaders directly under the gaze of the US Department of Justice (DoJ), which enforces the whistleblower-friendly False Claims Act. Therefore:

  1. As a senior leader attesting to your org’s level of NIST 800-171 conformance under DFARS 7012 or DFARS 7019 on what is effectively a control-by-control basis, you’re going to want to know for sure that your SPRS score is accurate.
  2. As a senior authorizing official soon to be signing off on an SPRS score as part of self-attested CMMC 2.0 compliance, you’ll need ongoing, consistent compliance data as part of your self-attestation. A Prime or other partner may well ask for that evidence even if the government doesn’t.
  3. To have any hope of passing a CMMC 2.0 audit in the event one is required, you’ll need two forms of evidence for each control that demonstrate its “persistent and habitual” performance. This may not literally mean “continuous” proof, but data points will need to be regular and in an appropriate cadence.

In short, in every potential attestation scenario for DIB orgs that handle CUI (CMMC Level 2), you’re going to be reliant on your compliance program to stave off intolerable compliance risk.


What’s next?

If you aren’t currently gathering compliance data on your security controls, the first question is often “Where do we start?” Strategic advice from an expert third party is often highly valuable in establishing the answer.

To connect with a NIST/CMMC expert to discuss your needs and questions, contact Pivot Point Security.

To listen to the complete podcast episode with continuous compliance advocate Andrea Willis from Exostar, click here.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.