Video

Video by Michael Dunbar, Chad Hilton, Douglas Key

Cybersecurity Compliance: An Introduction to DFARS 252.204-7012 and NIST SP 800-171 Requirements

Defense Contract Management Agency

July 20, 2021 | 6:29

A presentation of the concepts related to the regulatory requirements governing contractor cybersecurity and the handling of Controlled Unclassified Information, as well as the process of attaining and demonstrating compliance through assessment.

Glossary of Terms:

DCMA
Defense Contract Management Agency; administrating agency of the Defense Industrial Base Cybersecurity Assessment Center

Prime
Prime contractor; works directly with the government, manages any subcontractors, and are responsible for ensuring that the work is completed as defined in the contract

Sub
Subcontractor; supplier, distributor, vendor, or firm that furnishes supplies or services to or for a prime contractor or another subcontractor

Enclave
Section of an internal network that is subdivided from the rest of the network which operates in the same security domain and shares the protection of a single, common, continuous security perimeter

Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment (also referred to as ‘Basic’ or ‘Basic Assessment’)
The Basic Assessment is the Contractor’s self-assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with NIST SP 800-171A….and Section 5 and Annex A of [the NIST SP 800-171 DoD Assessment Methodology].

Medium NIST SP 800-171 Assessment (also referred to as ‘Medium’ or ‘Medium Assessment’)
The Medium Assessment is conducted by DoD personnel who have been trained in accordance with DoD policy and procedures to conduct the assessment...will consist of a review of the system security plan description of how each requirement is met to identify any descriptions which may not properly address the security requirement. (see NIST SP 800-171 DoD Assessment Methodology)

High (On-Site or Virtual) NIST SP 800-171 DoD Assessment (also referred to as ‘High’ or ‘High Assessment’)
The High Assessment, conducted by DoD personnel who have been trained in accordance with DoD policy and procedures to conduct the assessment, requires a thorough on-site or virtual verification/examination/demonstration of the Contractor’s system security plan and implementation of the NIST SP 800-171 security requirements. (see NIST SP 800-171 DoD Assessment Methodology)

Resources:

Supplier Performance Risk System (SPRS)
https://www.sprs.csd.disa.mil/

OUSD(A&S) Strategically Assessing Contractor Implementation of NIST SP 800-171 site
https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html

NIST SP 800-171 Rev. 2
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

NIST SP 800-171A
https://csrc.nist.gov/publications/detail/sp/800-171a/final

DoD Procurement Toolbox – Cybersecurity in DoD Acquisition Regulations
https://dodprocurementtoolbox.com/site-pages/cybersecurity-dod-acquisition-regulations

**LATEST VERSIONS AS OF THE TIME OF VIDEO PUBLICATION.**