In a recent PreVeil webinar, Stacey Bostjanik, DoD CMMC Program Head, said that CMMC Level 2 assessors will check for defense contractors’ compliance with NIST SP 800-171, but not for compliance with DFARS 252.204-7012 (c)-(g) cyber incident reporting requirements. But don’t be lulled into complacency, you will still need to comply with those DFARS requirements. Bostanjik emphasized that there is no expectation that the DoD would sunset the 7012 contract clause when CMMC is implemented. Rather, the nature of 7012’s (c)-(g) incident reporting requirements is such that enforcement most often happens after the fact: When an incident occurs, 7012 (c)-(g) requires contractors to report it to the Department of Defense Cyber Crimes Center (DC3), share all data requested by D3C, retain that data for 90 days, and more.
What does this mean for defense contractors?
DoD and the Department of Justice are sending loud and clear messages to contractors to improve their cybersecurity levels, better protect CUI, and to accurately report their self-assessment scores to the DoD as required. If contractors want to continue to do work for the DoD, now is the time to take action. Any weak links in your organization’s cybersecurity are a serious business risk. If DC3’s forensic analysis of a cyber incident, for example, determines that it was the result of a contractor’s failure to adequately secure CUI, DC3 may flag the problem with the Defense Contract Management Agency (DCMA). And if a DCMA assessment of the incident finds negligence on the contractor’s part, penalties are likely to ensue—either via DoD actions related to the contract or by the Department of Justice (DoJ) un ..
Support the originator by clicking the read the rest link below.
