Three DoD DFARS will soon become permanent rules

According to a recent statement by Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, three Defense Federal Acquisition Regulation Supplements (DFARS) for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) will soon be permanent rules. (MeriTalk April 15, 2021)

The CMMC program enforces cybersecurity standards in the Defense Industrial Base (DIB) supply chain. The certification requirements will be part of all DoD contract requirements by 2026. (ibid)

The soon-to-be-permanent rules are:

  • DFARS Provision 252.204.7019 requires contractors to complete self-assessments and upload them into the DoD’s Supplier Risk Performance System (SPRS)
  • DFARS Clause 252.204.7020 takes place upon contract completion, allows DoD access to systems, facility, and personnel if DoD assesses the necessity due to risk
  • DFARS Clause 252.204.7012 requires all contractors to maintain adequate security of defense information that is “processed, stored or transmitted” on their network (ibid)

According to Arrington, 300,000 contractors need to get CMMC certified within the next five years. She said, “we have thought carefully about this, and making cybersecurity foundational to acquisition wasn’t something that we just thought “Let’s do it one time.” It has to be an enduring capability.” (ibid)

Questions concerning CMMC certification? Give us a call.

 

Security Clearance Due Process Streamlining

The Defense Department is streamlining process procedures for individual security clearances. (Defense Systems, January 27, 2021). On 19 January, the Under Secretary of Defense issued a memorandum to “simplify, centralize and unify the established administrative process for unfavorable security clearance eligibility hearings and appeals. The memo directs DoD unit heads to allow applicants to: “cross-examine” those who made negative statements about them, and receive documentation on the administrative due process. However, all unit heads retain the ability to “deny or suspend” access to classified information or Special Access Programs if an individual is found to be “inconsistent with protecting the national security.” (ibid)

“The policy is effective upon DoD General Counsel (GC) certification to USD (I&S) that DOHA has prepared, but no later than September 30, 2022.” (ibid)

Was your application for a security clearance revoked and you are not sure what to do next? Give us a call.

Born in the USA

Last week DOD set in motion the Trusted Capital Digital Marketplace, the goal of which is to give companies an alternative to foreign investors. Often, using foreign investors prohibits contracting with the Department of Defense (DoD). The marketplace originally piloted last year with the official launch last month.

Both companies and investors apply to join the marketplace and are screened by DoD. Those accepted are listed in the digital marketplace as trusted receivers or sources of funds and may connect with each other. As of this writing, 128 companies and 30 investors have logged into the marketplace.

Tax cuts and the Jobs Act of 2017, creating new designations for special national security-related companies in the tax code, are crucial components of the marketplace. Additionally, the fiscal 2021 National Defense Authorization Act references the marketplace program. Combined, these will increase use of the program; as users report on the program efforts, it expands. The goal is to help start-ups obtain funding without looking to foreign investors who may have adversarial ties.

Are you looking to work with the Department of Defense and trying to figure out how to get funding? Give us a call.

DoD and Software

The Department of Defense is updating its purchasing policies for software acquisition, moving toward an  Adaptive Acquisition Framework. (fedscoop, October 7, 2020)

DoD’s new software purchasing policy includes some big changes: its focus will be on updating software on an “as needed” basis instead of custom coding. In the old model DoD purchased software in the same manner as it bought tanks, which often took years. The new policy, titled 5000.87, allows contracting officers to have the tools they need to buy code while giving them the flexibility to focus on the development and maintenance of programs. (ibid)

According to a DoD spokesperson, “as more parts of the military use similar technology-development stacks, achieving Authorities to Operate (ATOs) will happen much faster.” The goal is to improve cycle time which should now be achieved with the new framework in place.

Are you looking to work with DoD to provide software or code and have questions about how to get started under the new purchasing policy? Give us a call.

 

Self-Assess No More

Cybersecurity for  Department of Defense (DoD) contractors is an ongoing issue. Now, DoD is issuing an interim rule to implement an Assessment Methodology and Cybersecurity Maturity Model Certification framework. This will assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Federal Register, DFARS Case 2019-D041 Action: Interim Rule)

The current self-attestation of NIST Special Publication (SP) 800-171 is not working due to a lack of DoD verification. Until the implementation of the interim rule, DoD did not have a mandate to verify contractor basic safeguarding or security requirements prior to contract award.  This regulation changes that. The interim rule adds a process for contractors to  implement cybersecurity requirements. This is to be accomplished while the DoD’s Cybersecurity Maturity Model Certification (CMMC) and the procedures with the Accreditation Body (AB) are solidified. (Meritalk, September 28, 2020)

Questions about how the new rule will affect your contract or upcoming bid and what you can expect? Give us a call.