Information for Bell Suppliers on Cybersecurity Requirements

Bell has created a Cybersecurity Toolkit to help our subcontractors understand the growing cybersecurity requirements for upcoming contracts. This toolkit is designed to be a one-stop shop for resources our subcontractors can use to build your compliance to contractual requirements such as NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC).

 

Here are other free resources provided by government agencies dedicated to cybersecurity education. These resources provide affordable training courses, assessment tools, and specialists to help small businesses meet increasing contractual and regulatory requirements.

 

Project Spectrum: Created by the Office of Small Business Programs of the Department of Defense. The goal of Project Spectrum is to educate businesses about CMMC and how to be compliant. It includes training videos, webinars from DoD officials, online course, NIST Self-Assessment Tool, and more.

 

NIST Small Business Cybersecurity Corner: Created by the U.S. Department of Commerce. This site provides cybersecurity basics, guidance, solutions, and training to protect your information and manage your risks. Look into The National Initiative for Cybersecurity Education (NICE) framework to access provides free and low-cost online cybersecurity training.

 

ND-IASC CyberAssist: The DIB SCC Industry Task Force is identifying and posting links to helpful publicly available cybersecurity resources. The resources were selected both to help companies (i) meet DoD and other U.S. cybersecurity standards applicable to U.S. federal contractors (e.g., FAR Basic Safeguarding clause, DFARS Safeguarding CDI clause, CMMC); and (ii) otherwise improve their current cybersecurity protections.

 

Manufacturing Extension Partnership (MEP): The MEP Program is a national network with hundreds of specialists who understand the needs of America's small manufacturers. Contact your local MEP Center to learn how they can help you assess your business’s current risk posture, identify any gaps, and implement solutions to cost effectively protect your digital and information assets and meet your legal and contractual cybersecurity and privacy requirements.

After reviewing the educational material, the subcontractors can review the Cybersecurity Toolkit to find the CMMC - SSP and POAM Template. This template helps the subcontractor create a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M). These documents are necessary to implement NIST Special Publication 800-171, the publication called out in DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting).

 

The NIST SP 800-171 publication provides agencies with recommended security requirements for protecting the confidentiality of CUI. The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.

 

Here are the resources for your business to review the NIST 800-171 publication:

• Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 rev 1 Security Requirements: Review the step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 Rev 1. Click here to access or download the Bell Cyber Toolkit.
• NIST SP 800-171 rev 1 DoD Assessment Methodology Version 1.2.1: Provides a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800-171 Rev 1. Click here to access or download the Bell Cyber Toolkit.

 

NOTE: Bell suppliers are required to attest their organization’s compliance to DFARS 252.204-7012 and indicate the organization has enacted the security requirements in NIST SP 800-171 in section 10 of the Annual Certification.

 

In addition to DFARS 252.204-7012, The Department of Defense has introduced two additional Defense Federal Acquisition Regulation Supplement (DFARS) requirements related to NIST SP 800-171.

DFARS 252.204-7019	DFARS 252.204-7020
Notice of NIST SP 800-171 DoD Assessment Requirements	NIST SP 800-171 DoD Assessment Requirements
Advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current NIST SP 800-171 DoD Assessment on record to be considered for award. Requires offerors to post current Assessments in the Supplier Performance Risk System (SPRS).	Requires contractors to provide the Government with access to its facilities, systems, and personnel when necessary for DoD to conduct or renew a higher-level NIST SP 800-171 DoD Assessment.

The clauses above do not duplicate, overlap, or conflict with any other Federal rules. Rather these rules validate and verify contractor compliance with the existing cybersecurity requirements in FAR 52.204-21 and DFARS 252.204-7012 and ensures that the entire DIB sector has the appropriate cybersecurity processes and practices in place to properly protect FCI and CUI during performance of DoD contracts.

 

NOTE: Subcontractors need to complete the NIST SP 800-171 basic assessment and submit your results into the Supplier Performance Risk System (SPRS). For guidance on the use of SPRS, please review the Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) guide. This assessment methodology measures a company’s compliance to the 110 controls of NIST SP 800-171. A NIST score could be zero, a negative score, or a perfect score being 110.

With the implementation of Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense is introducing several key changes that build on and refine the original program requirements.

 

Streamlined Model

• Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
• Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards

 

Reduced Assessment Costs

• Reduced assessment costs: Allows all companies at Level 1 (Foundational) to demonstrate compliance through self-assessments
• Higher accountability: Increases oversight of professional and ethical standards of third-party assessors

 

Flexible Implementation

• Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
• Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances

 

For updates on CMMC 2.0, please review the following helpful links:

• Homepage: https://www.acq.osd.mil/cmmc/index.html
• FAQs: https://www.acq.osd.mil/cmmc/faq.html
• CMMC Documentation and Assessment Guides: https://www.acq.osd.mil/cmmc/documentation.html

 

Whether your business is a machine shop or a large OEM, you'll need a cybersecurity certification. The level varies by what kind of data you access from the prime contractor.

 

Think of CMMC like a quality certification, and view the parallels below:

	AS9100 Rev D	CMMC
Certification to do businesses with the DoD	Yes	Yes
Individual auditors	Yes	Yes
Renewable Certification	Yes	Yes
Goal of the Certification	Create a standard for Quality Management Systems in the Aviation, Space and Defense (AS&D) industry	Create a standard for cybersecurity practices and hygiene in the Defense Industrial Base (DIB).

 

We've made physical safety and quality a foundation in how we do business. Now it's time to do the same with our supply base by adopting and standardizing cybersecurity practices to protect the information in the DIB. CMMC builds upon DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which appears as a flow down in past DoD contracts.

 

I don’t do business directly with the DoD, why does this apply to me?

 

Since CMMC is a DFARS requirement, it is mandated to be flowed down to the supply chain. Whether you're a 1st or 7th tier subcontractor, a CMMC level must be awarded for you in order to do business with the DoD at any level. The goal of CMMC is to mitigate risk of information theft at all levels.

1. Identify your Stakeholders

• Who will lead the CMMC initiative for the business?
• Who will be affected by this new requirement?
• Who will help interpret and implement changes that this requirement will bring in the business?
• Who will approve additional personnel/equipment needed to be CMMC compliant?
• Ex: Legal, Compliance, IT, Cybersecurity, Engineering, Procurement, Contracts

 

2. Quantify Resources and Personnel

• Should the business hire consultants or does the business have the resources and expertise to do a self-evaluation and implementation?
• How many man hours will be needed to be compliant?
• How much will I spend on software, hardware, or firmware purchases and upgrades to be compliant?

 

2. Determining the Right CMMC Level for your Business

• Who should help gauge my data sharing environment?
• Do I handle CUI or do I anticipate handling CUI in the future?
• How much data and what type of data from the prime do I access?
• How much data from the prime am I flowing down?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

 

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui. Resources, including online training to better understand CUI, can be found on National Archives’ website at https://www.archives.gov/cui/training.html.

 

 

For guidance on how to mark CUI data in your business, please review the training publication provided by the Department of Defense here or at https://www.dodcui.mil/Home/Desktop-Aids/.

 

 

To create a SPRS account, go to the Procurement Integrated Enterprise Environment (PIEE) Getting Started Page. To troubleshoot problems you may encounter when creating a PIEE account, please contact the PIEE Help Desk. Per the new provision DFARS 252.204-7019, offerors must ensure the results of any applicable current Assessments are posted in Supplier Performance Risk System (SPRS). Please review the Quick Entry Guide for step by step instructions to log your assessment into the Assessment Database. To troubleshoot problems you may encounter when entering your assessment, please review the FAQs or contact customer support.

Under CMMC 2.0, the "Advanced" level (Level 2) will be equivalent to the NIST SP 800-171. The "Expert" level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.