Last month, the Department of Defense (DoD) published its DFARS Final Rule 252.204-7024. It will require contracting officers to consider Supplier Performance Risk System (SPRS) risk assessments, if available, in the evaluation of a supplier’s quotation or offer and to consider SPRS supplier risk assessments – and whether a contractor is “responsible” enough to be awarded the contract.

In addition, the DoD is now collaborating with federal civilian agencies to impose the new Federal Acquisition Regulation (FAR) rule. It would apply new Cybersecurity Maturity Model Certification (CMMC) requirements to vendors that handle controlled unclassified information (CUI), according to the DoD CMMC lead.

“There is a FAR rule that’s going to be coming out that implements the [National Institute of Standards and Technology’s (NIST)] SP 800-171 and the 800- 172. And it’s going to go across all Federal government,” Stacy Bostjanick, chief of defense industrial base cybersecurity within the Office of the DoD CIO, said during a virtual event hosted by PreVeil on April 4.

Bostjanick explained that the move is meant to better protect Federal information. As a result, Federal civilian contractors that handle the government’s sensitive data will now be required to meet basic cybersecurity standards – similar to those imposed on the defense contractors under the CMMC program.

“We are working with the Federal CISO Council today to try to make sure that we’re consistent across all of the Federal government, how we view those 110 controls [under NIST SP-800-171], so we’re not going to be onerous on the industry partners,” added Bostjanick.

Strengthening Cybersecurity at the Federal Level

In November of 2021, the DoD announced the new “strategic direction” for its Cyber Maturity Model Certification (CMMC), which sought to address the issues the first iteration faced including the cost and complexity. The new version, CMMC 2.0, was meant to better align with existing federal standards and to cut red tape for small and medium-sized businesses.

The final rulemaking for CMMC is still in the works but should be delivered sometime later this year.

DFARS Final Rule 252.204-7024 could further improve upon it, as DFARS 7024 makes clear that DoD’s evaluation of defense contractors via SPRS focuses on the level of risk that competing contractors present to DoD’s mission.

Cybersecurity experts have suggested this should be seen as a step in the right direction.

“This is focused on 800-171 reporting, aka CMMC efforts,” Tom Brennan, executive director of the CREST Americas Region, told ClearanceJobs via an email. “In summary, all organizations doing government contracting need to meet minimum requirements. This security plan is like what CREST does to verify service providers operating in Penetration Testing, Threat Intelligence, Security Operations Centers, and Incident Response. CREST supports this effort entirely.”

This could also ensure that a contractor will not be a weak link in another otherwise secure cybersecurity chain.

“This change is another step in the right direction. Third-party supply chain risk was a leading indicator of several large security breaches that have occurred recently, and any third-party risk is, in reality, the department’s own accepted risk,” explained Roy Akerman, co-founder and CEO of cybersecurity firm Rezonate.

“Yet, meeting basic security standards is not enough as we already know compliance does not mean better security,” Akerman told ClearanceJobs. “Governing access to data, how it is used, and what can be achieved with it is just as important, and often should be dealt with first.”

These moves should therefore not be the last efforts to improve cybersecurity within the Federal government. Even with these new rules, greater efforts should be made by Federal agencies and contractors alike to help maintain security over sensitive information.

“Particularly under the cloud of the latest leads – which appear to be related to poor controls over physical, not electronic, documents – the need for a comprehensive and consistent security policy over information the government identifies as sensitive has never been greater,” said technology industry analyst Rob Enderle of the Enderle Group.

“Policy inconsistencies directly feed strategies to compromise this sensitive information and eliminating those, therefore, is on the critical path to greater information security,” Enderle told ClearanceJobs. “Continuing to do this piecemeal, while better than doing nothing, still won’t fully accomplish this goal and the closer we get to a universal security policy that is enforceable and enforced the more secure we will eventually be.”

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com. You can follow him on Twitter: @PeterSuciu.