The DFARS 252.204-7012 language states that businesses that qualify under DFARS must comply as soon as practical, but no later than December 31, 2017. To meet the requirements of Cybersecurity Maturity Model Certification (CMMC) requirements, the federal government, specifically the Department of Defense, is asking DoD contractors to prepare by aligning to DFARS 252.204-7012 or NIST SP 800-171 to continue to contract awards.
An Overview of an SSP and POA&M
In September 2017, the Department of Defense, in collaboration with the Defense Pricing and Procurement, issued more guidance on how to meet the DFARS and NIST SP 800-171 requirements. Now in 2020, it's clear that making documentation requirements, a NIST SP 800-171 System Security Plan and a POA&M (plan template for download here), is crucial to winning new businesses and keeping existing contracts even if you didn't make the December 2017 deadline for DFARS 800-171, because having these documents will help you accelerate the transition to the CMMC.
The Department of Defense (DoD) and Defense Procurement and Acquisition Policy (DPAP) structured the guidance advising companies with systems and organizations that touch-controlled unclassified information to create a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) to track their DFARS compliance. The guidance covered how to use the DFARS SSP and POA&M documents, how to appropriately document NIST SP 800-171 compliance, and the need for a POA&M to leverage along with the System Security Plan (SSP) for the DFARS compliance process. As part of the rollout of the CMMC levels, contracts will be granted in a go/no-go fashion, meaning that while valuable internally, a POA&M will no longer be accepted as part of a CMMC assessment.
Why Use a POA&M and DFARS SSP?
As a core part of the CyberStrong features, the SSP and POA&M generation and output are important artifacts to demonstrate your compliance or path to compliance. They are highly recommended and included in the DoD’s statement mentioned earlier. The POA&M and SSP are documents that the DoD or your prime contractor will surely appreciate come December and, at the very least, in 2018. The actual NIST SP 800-171 revision 1 calls this type of artifact “critical inputs to an overall risk management decision to process, store or transmit CUI (controlled unclassified information)”. These efforts are to protect controlled unclassified information (CUI) across the Department of Defense (DoD) supply chain. NIST SP 800-171 rev 2 was the latest update, released this year.
Keep in mind that the DoD also stated that if a contractor is not fully compliant with the total set of information security controls by December 31, 2017, but has a DFARS SSP and Plan of Action and Milestones (POA&M) proving each control status and plan for remediation, that company can report ‘compliance’ to DFARS requirement 3.1 and so on for all intents and purposes of clause 7012.
The additional guidance gives examples of DFARS Plan of Action and Milestones (POA&M) and System Security Plan (SSP) use in these instances:
- Reporting compliance with DFARS 252.204-7012 for technical evaluation
- “Using proposal instructions and corresponding evaluation specifics” to determine processing, storing, and transmitting CDI/CUI and what risks are in or out of scope for the project
- Organizing and pin-pointing NIST SP 800-171 control requirements that were not implemented at the time of awards
- Identifying that the security requirements in NIST SP 800-171 must be implemented
Approaching Compliance With Your Documents
A DFARS SSP template can be critical to fully documenting compliance. Revision 1 to NIST SP 800-171 added another control to the set that requires the creation of a DFARS SSP to “describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”
In the CyberStrong platform, once you input your data, the DFARS SSP and POA&M can both be exported, and a project that can take weeks or even months is simplified into a few hours. We know how difficult it is from a financial, time, and resource point of view to fully comply, much less build your system security plan and POA&M, so we made it much easier for you to get ahead of the deadline by automating these documents as you run through an assessment
In addition to a POA&M, according to the DoD, the System Security Plan (SSP) “describes how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems”. That means that the documents must describe the requirements, how you plan to remediate each of the controls, and a timeline for remediation in your organization. An approved CMMC system security plan will also document the roles and responsibilities of security personnel and a current overview of the security standards the company follows. These is just the bare bones of the plans that describe a system security plan, as there is much more information that we recommend be included for compliance tracking - such as team members in charge of controls, deadlines, and technology that will be adopted in remediation steps - all included in the CyberStrong export using your organization's real-time data.
If you are a company that falls under the DFARS and NIST 800-171 mandate and handles sensitive information, the DoD, and our experts at CyberSaint, highly recommend having a POA&M and system security plan in place to protect CUI. You can either use the CyberStrong platform to streamline compliance and automatically format and export your data into these documents for review or put the documents together on your own. You will have to periodically update your system security plan to maintain compliance. However, be aware that the compliance deadline has technically passed, and you will have to allot full company resources to get these documents ready if requested. Regardless of your method, these documents are key for saving your contracts if you aren't yet fully compliant, and will put you in good standing for your primes or contracts against the competition. In 2018, make sure that you are working on becoming compliant using the NIST SP 800-171 system security plan and POA&M documents, and that you demonstrate your competitiveness and adherence to DoD regulations if your business relies on defense-related revenue.
Download the information system security plan template and the definitive DFARS Compliance Guide for more actionable steps. For more information on NIST 800-171 and CMMC compliance, read more about them here.