Events

Since December 2017, Defense Department prime and subcontractors were required to have installed and implemented a compliant NIST SP 800-171 Security System Plan (SSP) and Plan of Action & Milestones (POA&M) designed to effectively safeguard “covered defense information.” In June 2019, DoD began to publicize that its cybersecurity requirements had evolved from the self-certified SSP and POA&M documentation to a mandatory certification by an outside third party at one of five levels specified level of cybersecurity compliance – the CMMC program. DoD had aggressive plans to insert CMMC requirements in RFIs around June 2020 and perhaps in RFPs by September 2020.  This may no longer be the case.

Companies now have to establish the status of their existing cybersecurity compliance plan in the context of the DoD (and other federal agencies) evolving requirements. Prudent contractors should understand and confirm if their NIST-based System Security Plan is sufficient (and at what “certified” level) for current and future contract obligations. Your company’s level of “cyber hygiene” will directly impact your eligibility to contract or subcontract with the Defense Department (and likely with some non-DoD agencies) as well as impact your competitive posture for evaluation purposes anywhere in the supply or service chain. Cyber compliance is now the foundation under the three statutory evaluation factors of technical, past performance and price.  The DoD requirements are in addition to the pre-existing FAR requirements regarding “federal contract information” as well as existing DHS, GSA and other agency requirements.