CMMC Rule Clears OIRA Review

Although the United States Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”) program was previously the subject of a regulatory review process in 2020, DoD decided in 2021 to retool the program before it was fully in effect. DoD has been working on corresponding revisions to the Defense Federal Acquisition Regulations Supplement (“DFARS”) ever since. (more…)

This entry was posted in and tagged . Bookmark the .

Identifying Controlled Unclassified Information (“CUI”) in your Environment

Many government contractors are worried about identifying the CUI in their environment. In this article we’ll take a brief look at the government’s and contractors’ obligations with respect to CUI and why contractors need not fixate on looking for every possible type of CUI. We’ll also look at how to identify one specific type of CUI, Controlled Technical Information, or CTI, that may be lurking in contractor environments without explicit CUI markings.

Subcontractor Questionnaire – Discussion Draft

We are excited to release a discussion draft of our new CUI Recipient Preparedness questionnaire. The questionnaire helps organizations who want to disseminate CUI to others to better achieve 32 CFR 2002’s “reasonable certainty” that an intended recipient can properly handle CUI.

Please help us build a better resource for the community.

Questions, comments, and enhancements to the questionnaire are welcome!

Leveraging NIST SP 800-171 Attestation Letters from FedRAMP 3PAOs and CyberAB C3PAOs

Some DoD contractors are making significant investments to enhance their cybersecurity. This article discusses an approach those contractors can use to help increase the ROI for that work and win more contracts.

The Impact of the NIST SP 800-171 Rev. 3 Discussion Draft on CMMC and Related Programs

NIST released a discussion draft of SP 800-171 Rev 3 late last week. This article describes the impact that discussion draft will likely have on DoD’s CMMC program and provides some insights for contractors who are proactively preparing for Rev 3’s (eventual) release.

DoD Adding New Arrows to Contracting Officers’ Quivers (via SPRS)

DoD published a notice that DFARS 252.204-7024 will soon be published. This new clause requires contracting officers to consider supply chain risk and SPRS-reported risk information, as part of the award decisions. Click through for additional information!

FAR and Above and SPRS Scoring Tool Downloaded Over 11,000 Times! New Update Available!

Our automated SPRS and FAR and Above scoring tool has been downloaded over 11,000 times since the first version was released in 2021! We recently updated the tool to version 2023.02a. The changes include a bug fix to the SPRS scoring for 3.13.11, the addition of FAR and Above and SPRS scores to the SSP (more…)

2022 Year End CMMC Program Status Update

2022 saw a lot of changes to the CMMC program, and even to the government’s approach to supply chain cybersecurity. In this post, we summarize some of the key DoD-related changes in an effort to help contractors understand what they will likely encounter in 2023.

Pentagon’s Joint Surveillance Program in Full Swing

The United States Department of Defense (“DoD”) has begun its “Joint Surveillance Program” in conjunction with the CyberAB, the organization tasked with overseeing the CMMC ecosystem. Under the Joint Surveillance Program, members of DoD’s Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) accompany and oversee representatives from CyberAB authorized Certified 3rd Party Assessment Organizations (“C3PAOs”) as (more…)