As of November 30, 2020, certain U.S. Department of Defense (“DoD”) prime contractors and subcontractors will need to complete a cybersecurity self-assessment prior to receiving new DoD contracts and prior to the exercise of new options under existing DoD contracts. Additionally, DoD contractors will need to ensure that any subcontractors that receive Controlled Unclassified Information (“CUI”) have also completed the cybersecurity self-assessment. DoD currently requires that all contracts, except for contracts for commercially available off-the-shelf (“COTS”) items, contain Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires that the contractor implement the 110 security controls set forth in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 on any information system that processes, stores, or transmits CUI. A contractor that has not fully implemented all 110 of the NIST SP 800-171 security controls is permitted to submit a so-called “system security plan” or “SSP” that describes the system architecture and current level of implementation of each of the required controls. For any controls not yet fully implemented, contractors are required to submit a Plan of Action and Milestones or “POAM” that identifies the steps to be taken to implement those controls and the anticipated timeframe for completion of those steps.
CeleraPro submitted its NIST SP 800-171 in September 2021, with a POAM that is currently being worked by our Manager of Quality Compliance, Ms. Ndeye Traore.