As a small defense contractor, you are likely aware that DFARS 7012, 7019, and 7020 require you to take significant steps to secure the Controlled Unclassified Information (CUI) received or developed in the performance of your Department of Defense (DoD) contract. In addition, the DFARS 7020 clause (c) requires defense contractors to grant the government access to its facilities, systems, and personnel to conduct a Medium or High assessment. Therefore, if you are one of the lucky companies selected for a Medium or High assessment, the Defense Contract Management Agency (DCMA) assessor will likely ask you the following seven key questions to determine your readiness and the accuracy of your self-reported Supplier Performance Risk System (SPRS) score as required by DFARS 7019.

1. What is your most recent System Security Plan (SSP) date, and how does your SSP describe compliance with NIST SP 800-171 practices? The SSP is your plan for protecting your systems' confidentiality, integrity, availability, and the information stored on them. It should describe your approach to compliance with each of the 110 practices listed in NIST SP 800-171 and how you are implementing them in your organization. You should have a recent SSP that is updated regularly and readily available to demonstrate your commitment to compliance. It is not uncommon for an SSP to range from 250-500 pages.

2. Have you conducted a self-assessment in accordance with NIST SP 800-171 Assessment Methodology? A self-assessment is an internal review of your security posture and practices to determine your compliance with NIST SP 800-171. You should have a POAM that outlines the steps you will take to remediate any findings and the timeline for completion. The POAM should be updated regularly and submitted to the Defense Contract Management Agency (DCMA) to demonstrate your commitment to continuous improvement.

3. What is your SPRS score, when was it submitted, and do you have sufficient documentary evidence to support it? The SPRS score is a risk score that you assign to your organization based on your self-assessment. It is submitted through the Supplier Performance Risk System (SPRS) and provides a snapshot of your security posture and risk. You should have sufficient documentary evidence to support your SPRS score and be prepared to explain how you arrived at your score if asked by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessor.

4. Do you have a change management process, and if so, what is its governance? A change management process is critical to maintaining your systems' confidentiality, integrity, availability, and the information stored on them. The governance of your change management process should include the steps you take to review and approve changes, the roles and responsibilities of the individuals involved, and the processes for tracking and documenting changes.

5. Do you have a formal set of policies and procedures that you maintain and follow? Policies and procedures are the foundation of a secure and compliant organization. You should have written policies and procedures that describe how you will protect the sensitive information stored on your systems and the processes you will follow to ensure compliance with NIST SP 800-171. You should regularly review and update your policies and procedures to ensure they remain current and relevant.

6. Does the Cloud Service Provider (CSP) you use to store CUI satisfy the FedRAMP Moderate baseline or equivalent? The Cloud Service Provider (CSP) that you use to store CUI must meet the minimum security standards outlined by the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline or an equivalent standard. Your CSP should provide documentation and evidence of its compliance with FedRAMP or equivalent standards to demonstrate that it is a secure solution for storing CUI.

7. If you use encryption to protect CUI, do you use FIPS 140-2 or later? Encryption is critical to safeguard the confidentiality and integrity of the information stored on your systems. To meet the requirements of FIPS 140-2, encryption products must undergo rigorous testing and be validated by an accredited third-party laboratory. The validation process ensures that the encryption algorithms used by the product meet the required standards for security and that the product is secure against tampering, unauthorized access, and other attacks.

Being prepared for a DIBCAC Medium or High assessment is crucial for any DoD contractor. The seven questions outlined in this article are likely to be asked during your initial conversation with the DIBCAC assessor to determine your company's assessment readiness and the accuracy of your self-reported SPRS score. If your answers are not up to par, it could result in an unfavorable outcome. That's why it's essential to take proactive steps to ensure that you comply with NIST SP 800-171. If you need assistance navigating the DFARS 7012, 7019, and 7020 rules, don't hesitate to contact Aspire Cyber. Our team of experts is here to help you ensure that you are ready and confident when the day of your assessment arrives. So, take control of your readiness and contact us today at info@aspirecyber.com!