How Do I...?

Sell to the Government

Locations

Where We Are

Calendar

Events and Workshops

Defense Contractors: It’s Time to Pay Attention to Cybersecurity Requirements

Many Defense contractors have been watching and waiting for information on the new Cybersecurity Maturity Model Certification (CMMC) that is looming on the horizon for all 300,000+ Defense contractors. The only exemptions apply to those vendors providing commercial off the shelf items and solicitations below the micro-purchase threshold of $10,000.  Currently, the CMMC Accreditation Body is in the process of training assessors and registered practitioners and setting up a “marketplace” where businesses can find an assessor or practitioner. 

Meanwhile, DoD has issued a NEW regulation to enhance cybersecurity in the short term while we wait for the implementation of CMMC over the next 5 years. This new interim regulation (DFAR 252.204-7019) linked here is a solicitation clause that requires firms that handle Controlled Unclassified Information (CUI) responding to a solicitation to have a current assessment on record in an online database called Supplier Performance Risk System (SPRS).  This clause is required in DoD Solicitations with CUI above the micro-purchase threshold of $10,000 starting now.  

We will be discussing all this in an upcoming Webinar on December 8th.  Until then, read on:

DOES THE NEW ASSESSMENT REQUIRMENT APPLY TO YOU?

Maybe.  Katie Arrington, DoD’s Chief Information Security Officer recently indicated in public sessions that it applies to all Defense contracts.  However, the regulation aligns itself with the existing regulation that only applies to contracts with CUI.  And, we’ve heard that for solicitations auto-awarded in Defense Logistics Agency’s Defense Internet Bid Board System, DLA is only applying it to solicitations with CUI.   Public comment on the interim rule closed November 30 and there were several comments about this confusion. We anticipate clarification soon.

Additionally, there is significant confusion about whether firms providing commercial items are exempt as they are from CMMC.  We’ve heard reports of some prime contractors requiring the self-assessments for ALL their suppliers.  And, the rule indicates:

“…To achieve the desired policy outcome, DoD intends to apply the new provision and clauses to contracts and subcontracts for the acquisition of commercial items and to acquisitions valued at or below the simplified acquisition threshold, but greater than the micro-purchase threshold.”  

However, it goes on to state:

“The provision and clauses will not be applicable to contracts or subcontracts exclusively for the acquisition of commercially available off-the-shelf items.”

WHAT SHOULD YOU DO?

  1. PTAC’s first advice is to check your current contracts and subcontracts and any active solicitations you are bidding for the following DFARS Clauses.
    • 252.204-7019 (DoD Assessment Requirements)
    • 252.204-7020 (DoD Assessment Requirements) and
    • 52.204-7021 (CMMC requirements).
  2. Know whether or not you are in possession of any Controlled Unclassified Information (CUI) or Covered Defense Information (CDI) or Controlled Technical Information (CTI).  You might be surprised to find out you have it and are required to control access to it.
  3. Complete a self-assessment, especially if you have CUI or make controlled information in the course of your work. This new rule is broad and compliance is checked prior to award so it is critical that you complete the self-assessment and post the results in SPRS if you plan to bid or are expecting an option year award on an existing contract or subcontract.  And, experts agree that good cybersecurity is good business.
  4. Attend PTAC’s Cybersecurity Contract Implications Webinar on December 8th, 10am.
  5. Continue to prepare for CMMC.  Impact Washington has a short Senior Management briefing about it as well as a more in-depth training for practitioners. 

HOW TO DO SELF-ASSESSMENT

The assessment has three levels (Basic, Medium, High) and is based on compliance with NIST SP 800-171 security requirements.  A basic assessment is a self-assessment completed by the contractor while a medium or high is completed by Defense Contract Management Agency.  DCMA stood up the new Defense Industrial Base Cybersecurity Assessment Center in the summer of 2019, but concerns remain that DCMA does not have capacity to conduct all the necessary assessments at this time.

To complete a self-assessment, one option is to use Project Spectrum’s self assessment tool found on their website here.  Click “Cyber Readiness Check” at the top and create a free account.  After completing all the questions with either a yes or no, the system will provide you with a score that you will enter into SPRS.  Instructions on accessing SPRS are found here.  The top score is 110.  Each time you indicate you are out of compliance with one of the items it deducts points.  It is possible to receive a negative score as some items are weighted higher than others.  DoD is not requiring a perfect score or any specific minimum score at this time.  It is, however, a very good idea to shore up deficiencies now.  When you enter into SPRS, you’ll also be asked to enter a date when the contractor will achieve full compliance with all 110 security requirements.   As you implement improvements in your cybersecurity systems, you may update your score in SPRS.

QUESTIONS?

Your PTAC welcomes any and all cybersecurity related questions.  Our mission is to increase contracts and subcontract to Washington firms and if cybersecurity compliance is a barrier to your firm, please reach out.  Find your PTAC advisor at www.washingtonptac.org.

Get Latest News & Updates

News and announcements will be delivered straight to your inbox

Region 6 is hosted by the Thurston County Economic Development Council and serves Pierce County.

ABOUT THE THURSTON EDC

The Thurston Economic Development Council (EDC) is a private non-profit organization.  As the lead economic development organization in Thurston County our mission is to create a vital and sustainable economy throughout the county and region that supports the livelihood and values of our residents. We do this by:

·        Connecting local businesses with experts and resources that help them remain competitive

·        Creating and delivering strategic messages that attract new investment to our community

·        Working with our community partners to enhance our collective prosperity and encourage our economic future 

·        Participating regionally to ensure that Thurston County plays an appropriate role on the regional economic stage.

Pierce County services are primarily provided virtually. 

This location is funded, in part, through a partnership with Pierce County through the Navigator Program

General Contact: pierce@washingtonapex.org

Clallam and Jefferson counties

Tri-City Regional Chamber of Commerce

Tri City Regional Chamber of Commerce

Region 8 is hosted by the Tri-City Regional Chamber of Commerce and serves Benton, Columbia, Franklin, Grant, Klickitat, Walla Walla, and Yakima counties.

About the Tri-City Regional Chamber

The Tri-City Regional Chamber of Commerce is the leading business advocate for nearly 1,000 private, public, and non-profit member firms in the Tri-Cities region. The fifth largest chamber in Washington, the Tri-City Regional Chamber advocates for a strong business community and supports the interests of its members. The Regional Chamber is a catalyst for business growth, a convener of leaders and influencers, and a champion for a strong community.

Address

7130 W Grandridge Blvd, Suite C
Kennewick, WA. 99336

Email: tricity@washingtonapex.org

GREATER SPOKANE INC

Region 7 is hosted by Greater Spokane Inc and serves Spokane, Adams, Asotin, Douglas, Ferry, Garfield, Lincoln, Okanogan, Pend Oreille, Stevens and Whitman counties.

ABOUT GREATER SPOKANE INC

Greater Spokane Incorporated (GSI) is the Spokane region’s business development organization, focused on leading transformative business and community initiatives to build a robust regional economy. Founded in 1881 as the Spokane Area Chamber of Commerce, GSI is a nonprofit organization dedicated to creating a vibrant Spokane region by advocating for the region, driving strategic economic growth, and championing a talented workforce. Learn more at GreaterSpokane.org

Address

801 West Riverside Avenue, Suite 100
Spokane, WA 99201

Contact: spokane@washingtonapex.org

Green River College

Region 5 is hosted by the Green River College serves King County.

ABOUT THE GREEN RIVER COLLEGE

The mission of Green River College is to ensure student success through comprehensive programs and support services responsive to our diverse communities.

ADDRESS

1221 D St NE
Suite 210 C
Auburn, WA 98002

Email: king@washingtonapex.org

Economic Alliance Snohomish County

Region 4 is hosted by the Economic Alliance Snohomish County and serves Snohomish, Skagit, Island, San Juan and Whatcom counties.

ABOUT THE EASC

The Economic Alliance Snohomish County (EASC) is a nonprofit serving as a combined economic development organization and a countywide chamber of commerce. We bring together private-public partners to create a unified voice for Snohomish County.

Address

808 134th St. SW, Suite 101
Everett, WA 98204

Email: snohomish@washingtonapex.org

Columbia River Economic Development Council

Region 3 is supported by the Columbia River Economic Development Council and serves the counties of Clark, Cowlitz and Skamania. 

Columbia River Economic Development Council 

Address

805 Broadway St, Suite 412
Vancouver WA 98660

Email: swwa@washingtonapex.org

Thurston County Economic Development Council

Region 2 is hosted by the Thurston County Economic Development Council and serves Thurston, Lewis, Mason, Grays Harbor, Pacific, Wahkiakim, Chelan and Kittatas counties.

This center is also the main center for Washington APEX Accelerator Statewide

ABOUT THE THURSTON EDC

The Thurston Economic Development Council (EDC) is a private non-profit organization.  As the lead economic development organization in Thurston County our mission is to create a vital and sustainable economy throughout the county and region that supports the livelihood and values of our residents. We do this by:

  • Connecting local businesses with experts and resources that help them remain competitive
  • Creating and delivering strategic messages that attract new investment to our community
  • Working with our community partners to enhance our collective prosperity and encourage our economic future
  • Participating regionally to ensure that Thurston County plays an appropriate role on the regional economic stage.

Address
4220 6th Ave
Lacey, WA 98503

General Contact: thurston@washingtonapex.org

Kitsap Economic Development Alliance

Region 1 is hosted by the Kitsap Economic Development Alliance and serves the counties of Kitsap and North Mason.  

ABOUT KEDA

The Kitsap Economic Development Alliance (KEDA) is a 30+ year old public/private nonprofit 501 (c) (6) corporation founded in June 1983. Our goal is to attract and retain jobs and investments in this community that generate wealth, enhance the quality of life and embrace future generations.

Address
2021 NW Myhre Rd, Suite 100
Silverdale WA 98383

Email:  kitsap@washingtonapex.org