Federal Cybersecurity and Contractor Supply Chain Obligations

Loading Map....

Date(s) - 02/20/2020
10:00 am - 12:30 pm

MEC - Leesburg


 A Virginia PTAC Organized or Sponsored event, Contract Management, Government Contracting, Intermediate Level, Introductory Level, Legal Issues, Other, Risk Management, Selling to Government

Federal Cybersecurity and Contractor Supply Chain Obligations – The Evolution from the NIST SSP / POA&M to the Cybersecurity Model Maturity Certification (CMMC)

Since December 2017, Defense Department prime and subcontractors were required to have installed and implemented a compliant NIST SP 800-171 Security System Plan (SSP) and Plan of Action & Milestones (POA&M) designed to effectively safeguard “covered defense information.” In June 2019, DoD began to publicize that its cybersecurity requirements had evolved from the self-certified SSP and POA&M documentation to a mandatory certification by an outside third party at a specified level of cybersecurity compliance – the CMMC program. DoD has aggressive plans to insert CMMC requirements in RFIs around June 2020 and perhaps in RFPs by September 2020.

What is the status of your company’s existing cybersecurity compliance plan in the context of the DoD (and other federal agencies) evolving requirements? Prudent contractors should understand and confirm if their System Security Plan is sufficient (and at what “certified” level) for current and future contract obligations. How will your SSP compare to your competitors in the DoD and overall federal marketplace. Your company’s level of “cybersecurity hygiene” will impact your eligibility to contract or subcontract with the Defense Department (and likely with some non-DoD agencies) as well as impact your competitive posture for evaluation purposes anywhere in the supply and service chain. The DoD requirements are in addition to the pre-existing FAR requirements regarding “federal contract information” as well as existing DHS, GSA and other agency requirements.

In this Program, you will learn about:

  • Federal Contract requirements for the Defense Department and Civilian Agencies
    • Statutory, regulatory and contract cybersecurity requirements
    • The role of NARA’s Information Security Oversight Office (ISOO)
  • Requirements for the proposed NIST 800-171B compliant Cybersecurity Program reflecting ISOO guidance and requirements
    • Contractor handling of CUI, FCI, CDI or CTI
    • DoD’s new Cybersecurity Model Maturity Certification (CMMC)
      • CMMC cybersecurity implementation Levels 1-5
      • Cybersecurity certification as a contractor qualification versus cybersecurity as an evaluation factor
      • DoD’s “notional” implementation schedule for the CMMC Accreditation Body and C3PAOs
    • Supply chain obligations and foreign sourcing
    • The fundamental SSP and POA&M and additional CMMC requirements
  • FAR Guidance – included in the CMMC requirements
  • DoD Inspector General and DCMA cybersecurity enforcement reviews
  • Cybersecurity implementation technical issues
  • Cybersecurity training fundamental

For more information, please click here!