Originally Broadcast On: Thursday January 26, 2023, 4:00 PM ET
SYNOPSIS
John A. Ellis, co-founder of the DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) returned for the Cyber Collaboration Center’s first webinar of the new year, that aired on Thursday, January 26 2023 at 4:00 PM ET.
Are your suppliers ready for CMMC? Mr. Ellis provided an update on the general trends revealed by the DIBCAC’s recent medium-confidence assessments of small and medium sized contractors within the Defense Industrial Base (DIB). The DIBCAC has performed many random spot checks of contractor System Security Plans and compared the SSP details with the contractor’s corresponding DoD NIST SP 800-171 Assessment Methodology “Basic Assessment” scores as self-reported to the Supplier Performance Risk System (SPRS).
The results make it clear that many contractors and subcontractors are not fully understanding the DFARS and NIST cybersecurity requirements, or may feel that they aren’t likely to be scrutinized and therefore don’t dedicate adequate attention to accuracy in reporting. This may cause a problem for prime contractors who need to ensure supplier readiness. As DIBCAC medium assessments and NIST SP 800-171 Joint Surveillance voluntary assessments co-executed by DIBCAC and accredited C3PAO organizations have been finding, there is a growing gap between what contractors (and in many cases consultants) think is required vs. what will actually be needed for successful achievement of CMMC Level 2 certification in the future for CUI handling.
With final CMMC rulemaking almost complete, all companies planning to continue doing business with the U.S. Department of Defense, either as prime contractors or as subcontractors and suppliers across all tiers of the supply chain, must prepare for CMMC certification by properly documenting their implementation of security requirements and organizing their evidence to present to a 3rd party assessor for CMMC Level 2. Even companies handling only FCI and not CUI must properly understand the requirements and prepare evidence for future self-attestation by a senior company official for CMMC Level 1.
Prime contractors have to be especially careful to ensure their suppliers are on the right track to obtain CMMC certifications when needed since the CMMC will be a pre-award requirement once it starts appearing in solicitations and contracts. Visibility into supplier compliance readiness is critical. Time is running out for contractors and subcontractors to correctly interpret and adequately prepare for the level of effort that will ultimately be required to receive contract and subcontract awards in the upcoming CMMC era, and this webinar will provide the most recent and up-to-date information directly from the DIBCAC.
Experts from eResilience also provided information on best practices for gathering and organizing evidence in preparation for CMMC Level 1 and Level 2 assessments, and shared insights on prime contractor risks and impacts associated with supply chain cyber compliance.
ABOUT OUR PRESENTERS
John A. Ellis
Director, Defense Contract Management Agency’s (DCMA) Software Division
John A. Ellis has been a leader in the DCMA’s effort to improve cybersecurity compliance across the Defense Industrial Base. As a co-founder of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), Mr. Ellis was instrumental in developing the DoD NIST SP 800-171 Assessment Methodology and associated Basic Assessment scoring formula. Mr. Ellis, a retired Army Colonel, served on active duty for more than 30 years. Commissioned a second lieutenant in the Field Artillery in May 1985 and becoming a member of the Army Acquisition Corps in 1995, he served in a variety of assignments until his retirement 1 June 2015. He held assignments both stateside and abroad. Mr. Ellis’ DCMA experience began as the Commander of the Future Combat Systems (FCS)/Army Modernization Programs (AMP) contract management office in St. Louis, MO and he culminated his active duty career as DCMA’s Central Region Commander. Mr. Ellis is a Member of the Defense Acquisition Corps and is Level III certified in 3 disciplines: Information Technology; Program Management; and Engineering. John is also a Certified Information Systems Security Professional (CISSP).