Keeping government information secure from unwanted eyes is critical to our national security. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.
The self-attestation approach has not worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Leading up to the release of the CMMC certification, the DoD decided to add a new DFARS Interim Rule (DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements) that took effect on November 30, 2020. This clause states that government contractors and their subs will need to have a current assessment score representing their NIST SP 800-171 progress published within the Suppliers Performance Risk System (SPRS) before award of contract.
Our Services
Environmental Readiness Check
Reef Systems offers an Environmental Readiness Check that will help your organization uncover systems and processes that may not meet the standards outlined in NIST SP 800-171, such as:
- .• How is data stored and access to information controlled?
- • Are incident response plans in place, current, and effective?
- • Are IT staff and other personnel adequately trained?
- • How are security protocols implemented and maintained?
Environmental Gap Assessment
Reef Systems also offers a NIST SP 800-171 Gap Assessment which will pinpoint risk areas for contractors and facilitate the creation and execution of the Gap Remediation Plan. Without a Gap Assessment in hand, contractors may find it impossible to identify risks, prioritize activities, and determine costs for any remedial steps required pursuing the CMMC certification.
Gap Remediation
Reef Systems also offers NIST SP 800-171 Gap Remediation as a prioritized, actionable plan to address any security needs uncovered in the Gap Assessment and bring the contractor into NIST SP 800-171 compliance. This includes creating a Plan of Action & Milestones (POA&M) that will need to be uploaded into the Supplier Performance Risk System (SPRS) and will document:
- • Addressing necessary activities to resolve security issues
- • Allocating required resources to mitigate any problems and close security gaps.
- • A timeline with project completion dates and milestones to track progress for anything that is not completed.
- • Insights into security vulnerabilities