Security requirements from the DoD for federal contractors are evolving and are more extensive and complex than many govcon’s realize. These include not only cybersecurity protection of government systems and data that contractors use and access – but also protection of sensitive data on contractor AND subcontractor-owned or operated back-office systems. These are potentially new, costly requirements with long lead times and limited available resources, for many in the GovCon community.

DIB contractors’ external back-office systems handling confidential, classified, or CUI data must now be CMMC 2.0 compliant as per NIST 800-171 R2 security requirements. This point—along with DFARS requirements and much more—was explored in depth at a recent webinar hosted by Capture2Proposal.

The event’s speakers were Mark Edwards, Information System Security Officer (ISSO) at Capture2Proposal; Sam Morthland, Chief Financial Officer (CFO) at Sera-Brynn; Scott Edwards, CEO and President of Summit 7; and Alexy Johnson, Senior Cyber Security Analyst at Sera-Brynn. 

Following this event summary, find out more about a fast-track, low-cost, holistic CMMC strategy tailored to your company – a unique joint offering from this  partnership of highly-experienced SMEs.

The requirements’ impacts will be felt throughout the industry, Scott Edwards explained, as the CMMC program is being elevated to a DoD-wide standard. Additionally, he adds, “ it’s going to be incredibly important that [contractors] make sure their entire supply chain is also meeting these requirements.”

Currently, popular IaaS, PaaS, and SaaS systems have various states of compliance. Edwards notes that Microsoft Office 365 GCC High on Azure Government, for instance, is DFARS 252.204.7012 compliant, ITAR Ready, and FedRAMP High. It also leverages US-only personnel for support within the US Sovereign Cloud infrastructure. However, Office 365 Commercial on Azure Commercial is not DFARS 7012 compliant, not ITAR Ready, and uses non-US personnel support (though it is FedRAMP High).

Of crucial importance, according to Alexy Johnson, are the DFARS 7012 requirements on external CSP systems. “If you are a Department of Defense Contractor,” he stated, “and your information system will store, process, or transmit controlled (such as CUI) or classified information, you are required to implement NIST 800-171.” 

Moreover, “if you are a Department of Defense Contractor who will utilize an external cloud services provider (CSP) just for processing or transmission of controlled or classified information . . . you as a contractor are required to ensure that the cloud services provider meets requirements that are equivalent to the FedRAMP Moderate baseline and that they also comply with the requirements of paragraphs (c) through (g), which are related to incident reporting, potentially artifact-gathering to support investigation things, etc.”

The webinar was capped off with a few recommendations from the presenters: first, DIB contractors investigate CSP applications and portfolios to see how DFARS determines compliance. Second, external CSPs explore the regulations for FedRAMP Moderate baseline assessments. Finally, all affected parties take action now; CMMC arrives in May 2023, and contractors would do well to anticipate their needs – which may require significant time, expense and risk.

Recognizing that many Government Contractors want an end-to-end CMMC compliance solution, including fully-documented 3PAO attestation, Capture2Proposal has partnered with Summit 7 (a leading provider of cybersecurity compliance, cloud architectures and solutions) and Sera-Brynn (a leading 3PAO for CMMC/DFARS compliance and cybersecurity assessments) to reduce costs and risk, while accelerating CMMC compliance efforts for you.  

As compliance deadlines are approaching and CMMC resources are dwindling, now is the ideal time to get started and complete your compliance activities.  Contact us today to learn more and reserve your spot.

Let's connect and start (or continue!) the journey.

Your information will never be shared with a third party.