US Defense Contract Changes Mean New Rules for Heat Treaters

As a Heat Treater, whether it be Commercial or Captive, and you are providing services or products to a Department of Defense (DoD) contractor, a downstream supplier, or fall anywhere within the DoD supply chain, you are most likely affected by these DoD mandates and need to read this article very carefully. Your current and future business could depend on it.

In this article and future articles, you will be provided the answers to the most common questions regarding how Heat Treaters can position themselves for additional business, by becoming compliant, remaining compliant, and improving your overall cybersecurity health.

Discussions around DFARS compliance, NIST SP 800-171 implementation, and cybersecurity within the federal defense contracting space are becoming increasingly prevalent. Although it seems like the conversation has just recently gained steam, the DFARS mandate has been around longer than most people realize.

With the ever-growing threat of cyberattacks, it’s critical that you are securing not only your data but also the data belonging to your customers. You could be jeopardizing your current contracts and future business if your customers ask you to demonstrate proof of compliance, and you cannot. 

If your company processes, stores, or transmits Controlled Unclassified Information (CUI) in any way, you are already required to implement NIST Special Publication 800-171 Rev2 under the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, regardless of whether your customers ask you about it or not. 

The deadline to comply with NIST 800-171 has already come and gone. In other words, you will need to become both NIST 800-171 compliant and CMMC certified to continue to be awarded Department of Defense (DoD) contracts if you handle CUI in any way. The deadline was in 2017 but it is now getting a huge amount of attention, which is putting pressure on businesses who deal with CUI. Many businesses have put this off for years and others didn’t know about the requirements. Recently businesses have been having current contracts pulled and are becoming ineligible to be awarded new contracts until they can show they are compliant. Normally, the NIST 800-171 implementation process can take 9 to 18 months to complete.

Complying with NIST 800-171 cybersecurity requirements and controls is not only for those that handle CUI but is also a great business best practice for protecting and safeguarding your systems, networks, and data.  

What is DFARS 252.204-7012?

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is a flow-down that obligates DoD prime contractors to ensure their operations and downstream supply chains meet NIST 800-171 requirements. All covered contractor information systems not operated on behalf of the government are required to implement the security requirements outlined within NIST SP 800-171.  Note that customer audits and DoD audits are already happening. To meet these requirements, obligated companies must demonstrate compliance with DFARS 252.204-7012 by subcontractors and suppliers, have the required documentation, and show proof that adequate due diligence was performed.

What Is NIST SP 800-171?

NIST SP 800-171 is short for National Institute of Standards and Technology Special Publication 800-171. NIST SP 800-171 is a requirement for all DoD primes, contractors, or anyone in their downstream supply chain of service providers. Not complying with NIST SP 800-171 doesn’t just mean you’re practicing poor cybersecurity methods; it also means you’re not keeping up with your heat treat competitors. Some customers may have already asked whether or not you are compliant, and if they haven’t – they soon will. 

NIST SP 800-171 provides security standards for non-federal organizations that transmit, process, or store CUI as part of working with federal agencies. It outlines five core cybersecurity areas that must be followed; identify, protect, detect, respond, and recover. These five core areas serve as a framework for developing an information security program that protects CUI and alleviates cyber risks.

NIST SP 800-171 requirements consist of 110 separate security controls within 14 different control families. Within the 110 security controls, there are 320 control or assessment objectives that must be met to be considered compliant. NIST SP 800-171 is a contractual requirement to protect and safeguard CUI for the DoD, the General Services Administration (GSA), and/or the National Aeronautics and Space Administration (NASA).  For heat treaters, CUI could include Part images, diagrams and specifications for specific Parts that are protected by national security interests.

How do you Get Started?

An initial basic assessment will be performed on your systems and facility where you will generate an assessment score. Your NIST 800-171 basic assessment score is based on a 110-point scale. Each of the 110 controls is assigned a weighted subtractor value of either 1, 3, or 5 points. If you’ve implemented a control, you get that number of points. If not, those points are subtracted from the 110 points. Your score can range from between -203 (minus) to the maximum of 110. Your first initial basic assessment score will almost certainly not be a perfect score of 110 points and could very well be a negative number. Submitting a perfect score of 110 on your first basic assessment to the SPRS (Supplier Performance Risk System) could be viewed as a red flag and trigger additional audits. 

Even if you have already begun some form of a cyber/IT security compliance project, it is highly recommended that you retain the help of a qualified DFARS / NIST 800-171 consultant or a CMMC Registered Practitioner (RP) to guide or lead your company through this complicated process.

NIST 800-171 Compliance benefits your business for the following reasons:

  • Protects against malware, ransomware, and other cyber threats;
  • Helps to avoid ensuing legal trouble that comes after a cybersecurity breach;
  • Mitigates the impact of lost or compromised data; 
  • Secures sensitive information;
  • Helps avoid extreme costs associated with a security risk manifestation (a successful hack);
  • Maintains a trustworthy reputation with your customers.

Never Inflate Your Score

Your assessment scores are serious business. Be 100% truthful with your score and have the evidence to back it up. I’ve worked with companies that had previously self-attested and submitted a perfect score of 110 to the SPRS. Because they submitted an inflated score, it ended up costing them several major existing contracts from a large DoD contractor. They’re also not being considered for future contracts until this is corrected and they provide evidence and accurate documentation of their compliance.

Remember, you can be audited at any time by the DoD or by your customer(s), who may or may not be a prime contractor for the DoD. Always be prepared….

Misrepresentation of compliance to the Government is a violation of the False Claims Act and may result in penalties including:

  • Loss of contracts,
  • Loss of ability to bid on future contracts,
  • Fines,
  • Criminal charges.

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) program is aligned with DoD’s information security requirements for DIB (Defense Industrial Base) partners. It is designed to enforce the protection of sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The program provides the Department with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.

The CMMC 2.0 program has three key features:

  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring the protection of information that is flowed down to subcontractors.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

CMMC 2.0 is in line with requirements from NIST SP 800-171 so you should get started on NIST SP 800-171 compliance now before you start losing contracts. Remember, it will take between 9 to 18 months to be compliant. Once implementing NIST SP 800-171, CMMC will be a smooth transition to certification. 

About The Author: Joe Coleman is the Cyber Security Officer at Bluestreak Consulting™, which is a division of Throughput | Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, DFARS, NIST SP 800-171, and CMMC a career as a machinist, machining manager, early additive manufacturing (AM) pioneer, and production control/quality management software implementer/instructor. Joe is a Certified CMMC Registered Practitioner (RP).”

Did you like this article? Click here to subscribe to The Monty.

View our recent magazines and podcasts by clicking the following link.