If you are a prime or subcontractor to the DOD, the DFARS compliance requirement is something you already know. We have been discussing “adequate security” from clause 7012 for some time now. Your service provider may not be able to assess how close you are to complying with the regulation or to pinpoint the objectives to help you meet them.
Currently, you need to meet the Interim Rule, which means you need to create an account and enter your DODAM score into the SPRS database. As a quick assessment to understand how you are protecting CUI data, here are a few questions to see if you have DFARS clause 7012 under control.
1) What is your current SPRS score?
Reasoning: The Interim Rule requires this as the determination that you are doing due diligence toward CMMC accreditation.
2) Do all employees know where to find your security policies?
Reasoning: Many times, the policies are not shared with the people responsible for applying them in their daily activities. Violating a policy should come with repercussions. However, if the employees are unaware or simply do not have access to the security policies, a defense could be constructed around ignorance of the rules.
3) What encryption are you using for email?
Reasoning: This is a technical requirement that shows the client has considered the details in the controls. This is a good indicator that thought was put into at least the technical security controls, even if they don’t have them fully deployed.
4) How do you separate security role training from standard security awareness training?
Reasoning: This is a non-technical requirement that also shows the client has considered certain details in meeting the requirements of the controls. This role-based training can be overlooked simply because it requires specialized training that is often not something the client can purchase commercially.
5) Who is monitoring your system and reviewing your system logs?
Reasoning: While having the system log information about utilization, the logs require some attention. First, they need to be checked to ensure they are being captured and stored. Next, they need to be reviewed for accuracy. Finally, they need to be tested to ensure they are tamper-resistant and the triggers for any thresholds are set and working correctly. If a client outsources their logging capability, this question will raise concern if they are not addressing who is responsible for ensuring they function and are secure.
6) When was your last risk assessment? (Hint: It should be within a year.)
Reasoning: There is still confusion around the difference between a risk assessment and a vulnerability assessment. If the client is conducting a risk assessment, they should have information about the business and system protections in terms of threat events (fire, flood, power outages, system failure, etc.), the likelihood and impact of each event, as well as the implementation of remediation efforts.
CMMC auditors will think of these as basic questions during the official accreditation process. If you are unsure about your answers to any of these, you either have not addressed them thoroughly enough or are not yet ready for a CMMC audit.
If you need the help of a DFARS Compliance Company in Maryland to get through the process or need someone to manage this effort, then this is the perfect time to reach out to us.
DFARS Compliance Company in Maryland
Besides managing the compliance effort, we provide several solutions that work with your current service provider. We prefer to manage the process as a fractional compliance officer, but we can also build projects a la carte. We can tackle several objectives you might not have thought about, such as developing more concise security policies, supporting a system migration from on-premises to cloud, or even SaaS services such as supporting PreVeil or FutureFeed integration. If you are looking for a DFARS Compliance Company in Maryland, reach out today.