Federal Contractors: Cybersecurity Program
Enabling the Department of Defense Industrial Base Community
America’s adversaries begin targeting defense contractors as soon as the Department of Defense (DoD) announces contract awards.
Many contractors mistakenly believe that their DoD contracts are not important enough to garner attention. The DoD recognizes that the entire Defense Industrial Base (DIB), regardless of contract type, is susceptible to exploitation. America’s adversaries seek DoD contract information to assemble seemingly minor pieces of information, so that they may organize the multiple pieces into meaningful intelligence to sabotage DoD efforts.
Federal Contract Information (FCI), Controlled Unclassified Information (CUI), Controlled Technical Information (CTI) and each contractor's proprietary defense information must be both protected and shareable. The DoD determined that NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is the framework defense contractors must implement.
The DoD also created the triennial Cybersecurity Maturity Model (CMMC) to validate contractor's implementation of the NIST 800-171 frameworks. The CMMC contract clause is in the final stages of legal approval and is expected to be released March 2023. Within 60 days of release, the CMMC contract clause will start appearing on contracts.
The Right Processes for the Right People at the Right Time
The Federal Contractors Cybersecurity Program is a four-phased program that provides the DIB lifecycle support for DoD cybersecurity contract requirements. We understand that meeting CMMC assessment requirements is an enterprise responsibility, not just a technical issue.
Our commitment focuses on partnering with each CUI stakeholder during the NIST and CMMC journey. This allows our team members to realize business implications, in addition to IT challenges, while travelling through a phased approach to understanding CUI, NIST and CMMC contractual requirements.
CMMC as a Business Imperative
Typically, consultants address CMMC through the technical lens starting with the NIST 800-171 gap analysis and conclude with elements to prepare for the CMMC assessment process. That approach, however, lacks the first step in any process: IDENTIFICATION. Without identifying DoD CUI handling requirements, subsequent NIST 800-171 and CMMC success may not translate into contract compliance. It is possible to pass a CMMC assessment and achieve an NIST 800-171 score of 110 and still not be in compliance with the contract if contractual CUI handling requirements were never validated in the first place, hence why identification is so important.
Our team of professionals consider CMMC a business problem and offers a unique approach to address this challenge. We perform DoD contract analysis and identify CUI that needs to be protected up front, resulting in a more refined scope of work and increased success rate for compliance. This approach allows us to tailor services to provide NIST 800-171, self-assessment support, accurate CMMC documentation and CMMC assessment coaching. Upon successful awarding of a CMMC, we also provide sustainment for the required annual assessments and subsequent contracting arrangements.
CMMC as a Competitive Edge
DIB early adopters that pursue compliance validation of existing contract clauses and prepare their organizations for the inevitable CMMC contract clause better position themselves in the extremely competitive defense contractor space. Protecting CUI is now the new normal. Getting ahead of defense contractors that wait facilitates correct proposal costing, expands the number and types of bidding opportunities, and mitigates loss of reputation if compromised.
Do Not Wait
The CMMC industry is new, and qualified Cyber Accreditation Board (Cyber AB) Registered Practitioners (RPs) and the consultants who prepare for CMMC are at a premium. EisnerAmper is a Registered Practitioner Organization and employs badged Cyber AB consultants who not only understand NIST frameworks and CMMC assessments, but also DoD contracts and the new DoD CUI program.
EisnerAmper Digital has extensive experience with DoD contracts, NIST implementation strategies and CMMC readiness. EisnerAmper Advisory Group is a Cyber AB Registered Professional Organization.
- Identify Contractual DoD CUI Handling Requirements
- Allowable Expenses Consulting
- Contract Compliance Strategies
- NIST 800-171 and 172 Scoping, Assessing and Scoring
- Control Gap Analysis and Recommendations
- Tailored Policies, Plans, Standards, Procedures
- Virtual Chief Information Security Officer Services
- Vulnerability Scanning
What's on Your Mind?
Jerry Ravi is a Partner and the National Practice Leader of the firm's Risk and Compliance Services (RCS) Group. His focus is Enterprise Risk Management ERM and internal audit and compliance. He assists in designing enterprise risk management programs ERM which include deploying risk-based internal audit plans to enhance governance processes and monitor on-going compliance.
Start a conversation with Jerry