Leveraging NIST SP 800-171 Attestation Letters from FedRAMP 3PAOs and CyberAB C3PAOs

Some DoD contractors are making significant investments to enhance their cybersecurity. This article discusses an approach those contractors can use to help increase the ROI for that work and win more contracts.

The Impact of the NIST SP 800-171 Rev. 3 Discussion Draft on CMMC and Related Programs

NIST released a discussion draft of SP 800-171 Rev 3 late last week. This article describes the impact that discussion draft will likely have on DoD’s CMMC program and provides some insights for contractors who are proactively preparing for Rev 3’s (eventual) release.

DoD Adding New Arrows to Contracting Officers’ Quivers (via SPRS)

DoD published a notice that DFARS 252.204-7024 will soon be published. This new clause requires contracting officers to consider supply chain risk and SPRS-reported risk information, as part of the award decisions. Click through for additional information!

2022 Year End CMMC Program Status Update

2022 saw a lot of changes to the CMMC program, and even to the government’s approach to supply chain cybersecurity. In this post, we summarize some of the key DoD-related changes in an effort to help contractors understand what they will likely encounter in 2023.

The $0 CMMC Level 2 Compliance Fallacy

Government representatives have stated that complying with CMMC 2.0 Level 2 shouldn’t cost contractors or the government anything, because contractors have been attesting to the government that they are doing these things for years. This article explores why this is correct only for a small minority (17 out of 110) of the controls in CMMC 2.0 Level 2.

When is CUI not CUI?

Imagine the following scenario: As part of Project Road Runner, a new initiative, the United States Army, a portion of the Department of Defense (“DoD”) wants to purchase three dozen anvils. The anvils must meet specific size, strength, and weight requirements. DoD has already performed a search and is not able to find a COTS (more…)

On NIST SP 800-171, NFO Controls and Polices, Procedures, and Plans

With CMMC 2.0, DoD removed process maturity as an assessed requirement. Some commentators are suggesting that NIST 800-171’s “NFO” controls inherently require policies. We explore the requirement in this article.