Webinar: Federal Cybersecurity and Contractor Supply Chain Obligations

Map Unavailable

Date(s) - 03/30/2020
12:30 pm - 2:30 pm


 A Virginia PTAC Organized or Sponsored event, Contract Management, Government Contracting, Intermediate Level, Introductory Level, Legal Issues, Other, Risk Management, Selling to Government

Federal Cybersecurity and Contractor Supply Chain Obligations – The Evolution from the NIST SSP / POA&M to the Cybersecurity Model Maturity Certification (CMMC)

Since December 2017, Defense Department prime and subcontractors were required to have installed and implemented a compliant NIST SP 800-171 Security System Plan (SSP) and Plan of Action & Milestones (POA&M) designed to effectively safeguard “covered defense information.” In June 2019, DoD began to publicize that its cybersecurity requirements had evolved from the self-certified SSP and POA&M documentation to a mandatory certification by an outside third party at one of five levels specified level of cybersecurity compliance – the CMMC program. DoD had aggressive plans to insert CMMC requirements in RFIs around June 2020 and perhaps in RFPs by September 2020.  This may no longer be the case.

Companies now have to establish the status of their existing cybersecurity compliance plan in the context of the DoD (and other federal agencies) evolving requirements? Prudent contractors should understand and confirm if their NIST-based System Security Plan is sufficient (and at what “certified” level) for current and future contract obligations. Your company’s level of “cyber hygiene” will directly impact your eligibility to contract or subcontract with the Defense Department (and likely with some non-DoD agencies) as well as impact your competitive posture for evaluation purposes anywhere in the supply or service chain. Cyber compliance is now the foundation under the three statutory evaluation factors of technical, past performance and price.  The DoD requirements are in addition to the pre-existing FAR requirements regarding “federal contract information” as well as existing DHS, GSA and other agency requirements.

In this Program, you will learn about:

  • What guidance to follow when transitioning your cybersecurity plan from NIST-171 to CMMC Level 3.
  • How requirements under the Draft NIST SP 800-171B are now incorporated in Level 3 under CMMC.
    • The evolution of the cybersecurity vocabulary: CUI, FCI, CDI or CTI
    • DoD’s new Cybersecurity Model Maturity Certification (CMMC) plan
      • CMMC cybersecurity implementation Levels 1-5
      • Cybersecurity certification as a contractor qualification versus cybersecurity as an evaluation factor.
      • Is DoD’s implementation schedule for the deployment of CMMC trained third-party accredited organizations realistic?
      • What are the preferred self-assessment programs and why
    • What are the supply chain obligations regarding certain foreign sources?
    • What are the 113 technical differences between the “basic” Level 1 versus the “good” Level 3 requirement?
  • Cybersecurity implementation technical issues – will your current plan receive any credit under CMMC?
  • The fundamentals of cybersecurity training

To register, please click here!