ALERT: ALL GOVERNMENT CONTRACTORS

If you sell to the federal government executive branch or sell to someone who does, this is for you.

Until now, the big cybersecurity push in Washington, DC was through a regulation called Title 32 which defines a certification program called CMMC or the Cybersecurity Maturity Model Certification. This is a regulation which is codified in Title 32 of the US Code that requires contractors to meet the security requirements of NIST Special Publication 800-171. This is an intense security requirement with 110 controls. CMMC, at this point, MOSTLY but not completely, applies to defense contractors.

For a decade or more there has been a very light weight security requirement for the rest of the federal government executive branch that is codified under Federal Acquisition Regulation (FAR) 52.204-21 which specifies only 15 security controls.

That all changed this week.

Today a proposed update to the -21 FAR was published in the Federal Register for a 60 day comment period. Assuming the next administration doesn’t want to look weak against Chinese, North Korean and Russian cyber attacks, this regulation is likely to go forward later this year and apply to ALL FEDERAL GOVERNMENT EXECUTIVE BRANCH CONTRACTS GOING FORWARD.

Alright, enough with all of the legal mumbo-jumbo.

What are the new requirements?

Well, the document is about 150 pages long but here are a few of the highlights. We will give you more details later.

1. NIST SP 800-171 (and to a lesser extent 800-172) apply to all applicable federal contracts with covered data.
2. It is up to each agency whether you can self-certify or have to pay a third party to certify you.
3. The government’s OFFICIAL cost estimate for implementing NIST SP 800-171, assuming you are starting from ground zero, is $148,200. If you start now you can probable spread that cost over 2-3 years. If you wait, then you will spend it all at once.
4. If you put your data in the cloud, the cloud provider must be FedRAMP certified. There used to be something called FedRAMP equivalent. No more. There are not a lot of FedRAMP certified cloud providers which means that if you want to continue to use the cloud, you will have to change providers.
5. IMPORTANT NOTE: The Microsoft, Google and Amazon commercial cloud products are NOT FedRAMP authorized. All three companies offer a FedRAMP product, but getting there from commercial is both complex and expensive.
6. Cyber incidents involving Controlled UNCLASSIFIED Information (CUI) must be reported within 8 hours of DISCOVERY.

More to come. Even if this gets modified a little bit during the review process it is likely to come out pretty unscathed.

Oh, yeah, it does NOT say, if you are a small company you do not have to comply. Everyone is treated the same.

If you have not started getting ready, now would be a really good time to start. A lot of defense contractors waited, hoping it would go away. It did not. Don’t make the same mistake.

We offer a range of solutions for small to large companies and affordable prices. Please contact us.