Cybersecurity

Do you know these facts about cybersecurity?

• 61% of experts in technology and policy predict a major cyberattack causing widespread harm will occur by 2025, according to a Pew Research Center report.
• $445 billion is lost annually to cybercrime and espionage across the entire world economy, according to the Center for Strategic and International Studies.
• 46,605 breaches of federal computer networks occurred in 2013 according to the US - Computer Emergency Readiness Team.

Now, do we have your attention?

All Department of Defense (DoD), General Services Administration (GSA), and NASA contractors must have met the Federal Acquisition Regulations (FAR) minimum cybersecurity standards as of December 31, 2017. If you are not compliant, your company is at risk of losing federal contracts.

On November 30, 2020, a second significant DoD cybersecurity contracting requirement became effective. The Defense Federal Acquisition Regulation Supplement (DFARs): Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) introduced three new DFARs clauses:

1. DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
1. This clause provides the requirement for a cybersecurity assessment to be completed prior to contract award and score entered in the Supplier Performance Risk System (SPRS).
2. DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
1. This clause includes the DoD assessment requirements for contractors.
3. DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Level Requirement*
1. This clause describes the requirements for DoD’s new CMMC program.

*Note: All of the above DFARs clauses are effective while DoD reviews and modifies the CMMC program, however, DoD is not utilizing DFARs 252.204-7021, which implements CMMC, until the review and regulation change is effective. The CMMC 2.0 modifications to the DFARS are anticipated to be effective in the first quarter of 2025 at which point a three-year phase-in of CMMC requirements on DoD contracts will begin. Once CMMC is implemented, it will be a pre-award requirement at the level required by the DoD contract: CMMC L1 self-assessment, CMMC L2 self-assessment or certification, or CMMC L3 certification.

It is important to note that DoD cyber contracting requirements do not apply to commercial off-the-shelf and micro-purchases.

If you are a manufacturer that makes a product unique to DoD specifications, you most likely need CMMC Level 2. CMMC Level 2 takes many months to attain, so don’t wait to get started!

If you’re like many manufacturers, you may not know everything that is expected or even how to get started. To make this process easier Purdue MEP has assembled a team of cybersecurity experts to help ensure you are compliant with the standards described in NIST Special Publication 800-171. Additionally, you could attend one of our cybersecurity workshops to learn the DoD cybersecurity requirements, to be exposed to resources to help you become compliant, and to meet local cybersecurity providers.

Why is it important to determine the correct cyber compliance level for your company?

Determining the correct cyber compliance level for your company could potentially save tens of thousands of dollars and months of work. It is based on the information that you receive and must protect. Click here to learn more.

DON’T RISK BEING UNPREPARED. CALL TO SEE HOW WE CAN HELP.