Last Updated on November 18, 2020
If your business is part of the US defense industrial base (DIB), you already know that big changes are afoot with the US Department of Defense (DoD) cybersecurity compliance program. As the DoD and its 300,000+ suppliers transition to the new Cybersecurity Maturity Model Certification (CMMC) initiative, the days of “grade your own test” are all but over.
But with complete CMMC implementation still a few years away, what about cybersecurity compliance under current contracts? Has anything changed that DoD subcontractors need to worry about?
In a word, totally. The Defense Contract Management Agency (DCMA), the DoD’s contract administration arm, now has a mandate to audit DIB companies for compliance with the NIST 800-171 cybersecurity standard.
The DCMA obviously isn’t geared up to audit its entire supply chain. But if your company is tagged for an audit, how rigorous is it likely to be? And what is it likely to focus on, specifically?
To clarify these new changes and how to prepare for them, we asked John Ellis to be our special guest on The Virtual CISO Podcast. John heads the DCMA’s cybersecurity policy efforts, including its new interim audit program. Regarding actual assessments, John describes the basic flight plan: “A coordination for an assessment starts anywhere from 30 to 45 days prior to the assessment. The associated contracting officer will reach out to the intended company and ask them to participate in an assessment with DCMA. Once the company says yes, there’ll be … sort of an administrative coordination prior to the actual event.”
“We use DoD priorities to pick and choose the companies that do the work that we’re most interested in,” John remarks. “if you’re one of those companies, you tend to know that you’re one of those companies.”
But as John also notes, “That’s not to say we won’t… We’ve had a couple of instances where small companies had reported cyber incidents and we actually asked those companies to work with us as a follow-on to see what progress they had made.”
“We understand that system security plans, one of the key elements of an assessment, can be very sensitive,” John continues. “So prior to the COVID-19 impacts… we were very careful not to ask companies to send SSPs to us. We would actually ask that those be made available to us when our assessors showed up on-site.
“The week of the assessment typically starts on a Monday. The assessment starts with an in-brief, followed by a careful document review. If you give us documentation, we will review your documentation. Which does come in handy when you’re not sure where the policy may be—because our guys will help you find it.
“That first day is all about preparation. The real assessment begins on the Tuesday morning, typically. It’s scheduled to go through Friday. The length of the assessment really depends on how well the company is prepared; how well they know how to touch all the things that need to be touched, and have the personnel available to demonstrate the things that have to be demonstrated.
Regarding actual assessments, John describes the basic flight plan: “A coordination for an assessment starts anywhere from 30 to 45 days prior to the assessment. The associated contracting officer will reach out to the intended company and ask them to participate in an assessment with DCMA. Once the company says yes, there’ll be … sort of an administrative coordination prior to the actual event.”
How long do assessments usually last?
“We’ve seen assessments go as fast as one-and-a-half days. We’ve seen them take the full week. The week generally ends with an out-brief. During the out-brief there are no surprises. It’s a complete open kimono sort of assessment,” says John.
To support transparency, each day of the process includes a “hot wash” to highlight open issues. “There’s no mystery involved in the entire process, and it’s not intended to be a ‘gotcha,’ reassures John. “We’re not there to rain on anybody’s parade.”
The out-brief also openly goes over the company’s tentative compliance score. “And in the event that it’s needed, there’s a reclama period: there’s just some artifact, some document, some piece of work that was not able to be accomplished during a review. It could take up to 30 days after the assessment to clear those items…,” adds John.
The audited company gets its final report approximately 30 to 45 days after the audit. The final score is entered into the Supplier Performance Risk System (SPRS) and shared across the DoD.
But what about the scope of the audit? Does it cover just NIST 800-171 compliance? Or that plus additional requirements in the company’s DFARS clause?
“The emphasis of the assessment is on the implementation of those 110 requirements laid out in NIST 800-171,” John confirms. “This is part of the assessment methodology. If you go look at that November 2019 memo that [Undersecretary of Defense for Acquisition and Sustainment] Ms. Ellen Lord put out… it basically lays out the entire assessment.” This is subject to change under the new DFARS Interim Rule change.
“If you want to know how the homework is going to be graded, all you have to do is go look at the NIST 800-171A assessment guide that goes with NIST 800-171,” emphasizes John.
What about the dreaded “finding”? Do companies that “flunk” their audits need to produce a Plan of Action & Milestones (POAM) to address identified issues?
“We’re actually expecting to see the POAMs identified via the company’s self-assessment,” John asserts. “Part of the preparation for an assessment is for the company to perform a self-assessment. In areas where they believe they have not fully demonstrated a requirement, they should have a POAM to demonstrate that they’re aware of the issue, and they understand the scope and magnitude of what they need to do to get it right.”
The compliance expectation—as outlined in the current DFARS rule—is that businesses need to have a system security plan that includes POAMs for any deficient areas. In the event of “a deficiency” in compliance, the company can either put a POAM together while the audit team is onsite, or during the reclama period.
“In the few cases where that’s not been the case, that’s when you start getting into what the DCMA calls a corrective action request,” John reports. “Which is an administrative procedure where a contracting officer notifies the contractor that you’re deficient in a particular area, and now you’ve got to fix it.”
If your company is part of the DoD supply chain, you’ll find this episode with John Ellis tremendously valuable to help you prepare to demonstrate cybersecurity compliance.
To listen to the complete show with John Ellis, click here.
If you don’t use Apple Podcasts, click here.