Federal Contractor Cyber Security Program NIST and CMMC Assessment
Department of Defense Industrial Base Community Activation
US adversaries begin targeting defense contractors as soon as the Department of Defense (DoD) announces contract awards. Many contractors mistakenly believe that their DoD contracts are not important enough to attract attention. The DoD recognizes that the entire Defense Industrial Base (DIB), regardless of contract type, is susceptible to exploitation. America’s adversaries seek DoD contract information to piece together seemingly minor information, so they can organize the multiple pieces into meaningful intelligence to sabotage DoD efforts.
Federal Contract Information (FCI), Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), and each contractor’s proprietary defense information must be both protected and sharable. The DoD has determined that NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is the framework that defense contractors must implement.
The DoD also created the three-year Cybersecurity Maturity Model (CMMC) to validate the contractor’s implementation of the NIST 800-171 frameworks. The CMMC Contract Clause is in the final stages of legal approval and is expected to be published in March 2023. Within 60 days of its publication, the CMMC Contract Clause will begin to appear on contracts.
The right processes for the right people at the right time
The Federal Contractor Cybersecurity Program is a four-phase program that provides DIB lifecycle support for DoD cybersecurity contract requirements. We understand that meeting CMMC assessment requirements is a business responsibility, not just a technical issue.
Our engagement focuses on partnering with every CUI stakeholder during the NIST and CMMC journey. This allows our team members to realize the business implications, in addition to the IT challenges, while taking a step-by-step approach to understanding CUI, NIST, and CMMC contractual requirements.
CMMC as a business imperative
Typically, consultants approach CMMC through the technical lens beginning with the NIST 800-171 gap analysis and conclude with items to prepare for the CMMC assessment process. This approach, however, lacks the first step in any process: IDENTIFICATION. Without identifying DoD CUI processing requirements, subsequent success of NIST 800-171 and CMMC may not translate to compliance with contracts. It is possible to pass a CMMC assessment and obtain a NIST 800-171 score of 110 and not be in compliance with the contract if the contractual CUI handling requirements were never validated in the first place, where the importance of identification.
Our team of professionals sees CMMC as a business problem and offers a unique approach to address this challenge. We perform an analysis of DoD contracts and identify CUIs that needs to be protected from the start, resulting in a more accurate scope of work and increased success rate for compliance. This approach allows us to tailor services to provide NIST 800-171, self-assessment support, accurate CMMC documentation, and CMMC assessment coaching. Upon successful award of a CMMC, we also provide support for the required annual assessments and subsequent contractual agreements.
CMMC as a competitive advantage
Early adopters of DIBs who seek validation of existing contract clause compliance and prepare their organizations for the inevitable CMMC contract clause are better positioned in the fiercely competitive defense contractor space. CUI protection is now the new norm. Getting ahead of waiting defense contractors makes it easier to calculate proposal costs correctly, increases the number and types of bidding opportunities, and mitigates reputation loss if compromised.
The CMMC industry is new, and Cyber Accreditation Board (Cyber AB) qualified Certified Practitioners (RPs) and consultants preparing for CMMC are rare. EisnerAmper is a registered practitioner organization and employs Cyber AB badged consultants who understand not only NIST frameworks and CMMC assessments, but also DoD contracts and the new DoD CUI program.
EisnerAmper Digital has extensive experience with DoD contracts, NIST implementation strategies, and CMMC readiness. EisnerAmper Advisory Group is a registered Cyber AB professional organization.
- Identify DoD CUI management contractual requirements
- Consultation on eligible expenses
- Contractual Compliance Strategies
- NIST 800-171 and 172 scope, rating and rating
- Analysis of control gaps and recommendations
- Tailored policies, plans, standards and procedures
- Information Security Virtual Director Services
- Vulnerability analysis
Your FCCP Professionals
As a Partner and National Practice Leader for EisnerAmper Digital, Jerry’s credo is to help clients turn risk into opportunity.
With over 30 years of experience in internal audit, technology and information security, Ray provides technology risk management services to small, medium and large Fortune 100 companies.
Retired from Special Operations Command with over 20 years as a Level III Acquisition PM. Jill has extensive operational and DoD contract development experience. Jill also served as the DoD Policy Manager for updating corporate program management policy.