DTC Global
Authority. Expertise. Accuracy.A recognized authority on DFARS & CMMC compliance.
Begin now
Cybersecurity Maturity Model
Cybersecurity Maturity Model Certification* is a program established by the United States Department of Defense (DoD) in order to demonstrate their defense contractors' ability to safeguard and protect Controlled Unclassified Information (CUI) and Federal Contract Information according to the federal standards and DoD agency requirements.
*Fair use of the CMMC logo does not constitute any endorsement of DTC Global products and services.
Here For You
DTC Global – Help is on the Way
Jun 30, 2021 — Board member Regan Edens has resigned from the CMMC Accreditation Body after he publicly attacked a member of the CMMC-AB’s own Industry
Jun 30, 2021 — Board member Regan Edens has resigned from the CMMC Accreditation Body after he publicly attacked a member of the CMMC-AB’s own Industry
Reason for Action
Material Breach & Enforcement
In June, 2022 the Department of Defense (DoD) release a memorandum to affirm DoD contractors responsibilities and DoD contracting officers obligation to enforce these requirements for prime contractors, tier suppliers and subcontractors, and certain cloud services.
-
- DFARS 252.204-7012 requires a contractor to implement, at minimum, the NIST SP 800-171 security requirements.
- Contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones for each requirement not yet implemented.
- DFARS 252.204-7012 requires a contractor to implement, at minimum, the NIST SP 800-171 security requirements.
-
- Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.
-
- Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.
-
- In accordance with DFARS 204.7303(b)(2) the Contracting Officer must verify, prior to award of a new contract, option exercise, contract extension or new procurement modification, task order, or delivery order.
-
- The contractor must have the summary level score of a current NIST SP 800-171 DoD Assessment for that system posted in SPRS.
- This requirement applies even if the new award does not include DFARS clause 252.204-7020.
- The contractor must have the summary level score of a current NIST SP 800-171 DoD Assessment for that system posted in SPRS.
Jun 30, 2021 — Regan Edens resigned Tuesday from the Accreditation Body after allegations of improperly profiting off his status as a CMMC board member.
Your Path To
Compliance
CUI Discovery
The cornerstone for all requirements! What is CUI? What are your CUI security requirements? Where does CUI flow within your operations? Who creates CUI? Where does CUI flow outside your company?
DoD policy requires contractors follow CUI laws, regulations, and government-wide policies. DoD also has unique requirements that must be applied to all CUI and specific requirements for certain categories of CUI. Your company is responsible for safeguarding and marking all CUI created and developed during the contract performance. GET ANSWERS.
Risk & Security Assessments
These two requirements provide the foundation for your System Security Plan. Remember, although NIST guidance says they may be informal, but DFARS and CMMC require EVIDENCE for each control/practice every each assessment objective. Understand the requirements and controls with CERTAINTY. Document the risks related to the applicable CUI Basic & Specified Requirements. Document the security control assessment to determine your current conformity, gaps, and non-conformities for each control/ practice and each assessment objective. RM.L2-3.11/CA.L2-3.12
Plan of Action & Milestones
Turn your risks, non-conformities and gaps into tasks on your plan of action and milestones (POA&M), which is your “To do” list managed across each impacted area in the company. The POA&M is the single point of failure for most companies. Our CMMC ePU documentation is integrated into a special version of FutureFeed, which allows you to manage each task, progress, and deliverable across all your stakeholders. From requirements to tasks, tasks to people, people to activities, activities to deliverables, deliverables to budgets. CA.L2-3.12.2
System Security Plan
The most important document as evidence you will produce on your path to compliance. NIST calls for “overwhelming evidence” of compliance and DoD and CMMC assessors enforce this expectation with rigor. DoD cites two major sources for failure… Failure to understand the requirements and failure to provide satisfactory evidence of compliance.
Do not make the mistake of investing 12-24 months of effort and thousands of dollars to “think” you’re right and place 30% or more of your revenue at risk. CA.L2-3.1.3
WARNING- DoD is conducting 5 Day Notice Audits
- Have you conducted your REQUIRED Basic Self-Assessment?
- Have you reported your SPRS Score?
- Do you have substantial evidence to support your score?
DFARS 7020 says, ” Requirement. In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.
- Many large prime contractors are enforcing minimum SPRS scores.
- DoD analysis from the SPRS audits stated SIGNIFICANT finding based on a failure to understand requirements and lack of sufficient evidence.
DFARS 7012 and CMMC Requirements are:
• HIGHLY COMPLEX and DEMAND SIGNIFICANT EVIDENCE
• DISRUPTIVE and COSTLY
• CONFUSING and AMBIGUOUS
DTC Global provides:
• SPECIALIZED EXPERIENCE and “OVERWHELMING” EVIDENCE
• IMPLEMENTATION GUIDANCE AND AN EFFICIENT PATH TO CERTIFY
• CLARITY and CERTAINTY
• DIY to INTENSIVE SUPPORT
• CMMP ePU – KNOW-DO-CERTIFY
Introduction To CUI Fundamentals – Regan Edens
What you need to know about meeting Controlled Unclassified Information security requirements. This introductory video provides a first step in understanding the depth and breadth of complexity of CUI requirements for authorized holders within the defense industrial base (DIB) which is critical when executing contracts that contain or are subject to the DFARS contract clause 252.204.7012.
BEGIN YOUR PATH TO COMPLIANCE NOW
Blog
Transforming an organization is one of the hardest, most thankless challenges any leader can undertake. The DTC Global blog can help break it down what you need to know about compliance into smaller, easier to digest components.
Digital Transformation Daily
Today’s Cyber & Technology Headlines. Stay on top of what’s going on the CMMC ecosystem with up to the minute articles that can help you transform and accelerate your organizational maturity compliance.
Additional Resources
There are significant risk factors shaping the CMMC Frame-work within the defense industrial and manufacturing base. Here are links to resources and other information you need.
Contact Us Today!
Office
Dallas, TX
Call Us
817-796-6838