.avif)
.webp)
.png)
Introduction
When DoD customer organizations ask about NIST 800-171, DFARS 7012, and CMMC, they usually follow the DoD assessment framework. However, they often make changes to fit their own internal processes. In this blog, we’ll go through specific examples of how DoD customer organizations like the US Army and US Air Force ask about NIST 800-171, DFARS 7012, and CMMC.
A US Air Force basic assessment
Here is an example of a basic assessment from the Air Force Research Lab (AFRL). The customer organization will likely require the submission of a Supplier Performance Risk System (SPRS) score and a completed questionnaire.
These questionnaires can vary depending on the customer organization, whether it's the Navy, the Army, or the Marines. However, at a basic level, the customer organization may send a questionnaire as part of the basic assessment process.
A US Army medium assessment
The specific requests from a DoD customer organization will depend on both the customer and the cybersecurity officer or information security team. A medium assessment may involve a request for the company's system security plan, similar to what is required under the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) framework.
Questions may include: What is your system security plan? Can you answer some questions over a call? The goal is to review documentation and confirm that the system security plan meets the necessary requirements.
The email in the image is a request from the Army. They want to review a System Security Plan and POAM for a medium assessment.
The Department of Defense (DoD) is taking this matter more seriously, which is important to note. The email says, "Not having a Cybersecurity score of 110 or a POAM to fix the issues will delay the contract award." Failing to provide accurate documentation may result in additional questions, contract delays, and potentially damaged relationships.
A high assessment conducted by a DoD Customer Organization
The most detailed assessment that a DoD customer organization will require is its version of a high assessment. An example of a high assessment is when a DoD customer organization visits a vendor’s facility with a team of cybersecurity professionals to evaluate its cybersecurity program. These cybersecurity teams that show up at a company's facility will either be part of the DoD customer organization or DIBCAC.
The image above is an example of an email a company would receive when they have to go through a high assessment.
To learn how primes ask about NIST 800-171, DFARS 7012, and CMMC. Check out our latest blog!
If you're experiencing pressure from a customer organization to comply with NIST 800-171, Atomus can help! Our end-to-end solution provides a unique combination of technology and human support services that can help simplify your compliance journey. To learn more about Atomus, please schedule a meeting with one of our experts today.
.webp){kind=icon}
.png)
