Hot Topics
Governance, Risk & Compliance Security Bloggers Network 
SBN

CYBER Rules: DOD’s DFARS and CMMC Explained

by IntelliGO Networks on November 25, 2020

Cybersecurity expert Rob Knake informally interviews top cybersecurity lawyer Evan Wolff regarding an important change to the Cyber Maturity Model Certification (CMMC).

On November 30th, the Department of Defense (DOD) Defense Federal Acquisition Regulation Supplement (DFARS) interim final rule on assessing contractor contractor implementation of cybersecurity requirements goes into effect. To understand what it all means, we talked to top cyber lawyer Evan Wolff.

In this interview, Wolff walks through the history of the DFARS cyber rules from their initial implementation in 2013 taking us all the way out to the 2025 deadline when the CMMC will go fully into effect. Watch the video below, or review the transcript at the end of this blog post.

 

While CMMC has gotten the most attention, Wolff says that small and medium-sized defense contractors should be far more concerned with immediate requirements to conduct and submit assessments of their compliance with the existing requirements from NIST 800-171.

When DOD first introduced cybersecurity requirements for contractors in with the DFARS clause (sometimes known as “the safeguarding clause”) in 2013, it required contractors to implement adequate measures to protect government information on their systems. DOD has moved from that general requirement to a requirement to meet the NIST 800-171 specification to introducing the concept of cyber maturity with CMMC.

The safe-guarding clause requires contractors to do three things:

  1. Develop a System Security Plan (SSP) to demonstrate how they are meeting the requirements of NIST 800-171 and develop a Plan of Action and Milestones (POAM) for how they will address any deficiencies.
  2. Flow down these requirements to sub-contractors that are shared covered information.
  3. Disclose any incidents involving the loss or compromise of covered information to the Department of Defense within 72 hour through the DIBnet portal.

Starting November 30th, contractors will be required to assess (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by IntelliGO Networks. Read the original post at: https://mdr.intelligonetworks.com/blog/doddfarsandcmmcexplained

IntelliGO Networks , ,