Italian, European, NATO and USA companies must protect know-how and prevent information exfiltration carried out by foreign or malicious actors. Strict rules have been laid down in the past years, whereas increasing risks of today involve the whole panorama of unclassified information within which many tempting trade secrets make foreign countries and astute competitors want to have them.
Cyber Security has become a key element of so-called “asymmetric cyberwarfare” and the USA has developed a certification model for all its suppliers: CMMC - Cybersecurity Maturity Model Certification. From now until 2025, any RFQ of DoD must ensure specific levels of CMMC Certification. All DoD’s providers and sub-providers, including foreigners, shall provide this requirement.
Cybersecurity has become a key element of the DFARS new rules (Defence Federal Acquisition Regulation Supplement), in force since 1 December 2020. The DoD’s providers are required to implement, monitor and ensure compliance with NIST SP800-171 and with CMMC afterwards.
Gerico Security guides companies through the compliance process with NIST SP800-171 and through Self Assessments for DoD and supports those that need to be compliant with CMMC to address Level 1 or level 3 certification audits.
The new rules that complete the DFARS clause 252.204-7012 are:
- DFARS clause 252.204 – 7019. Gli appaltatori e sub-appaltatori devo verificare la loro conformità alla NIST SP 800 – 171. Il risultato del self-assessment andrà riportato sul DoD Supplier Performance Risk System (SPRS). La valutazione deve essere eseguita utilizzando il DoD Assessment Methodology nella attuale version 1.2.1.
- DFARS clause 252.204 – 7020. Gli appaltatori devono fornire al governo l’accesso alle loro strutture, sistemi e personale. Gli appaltatori devono anche garantire che i subappaltatori interessati abbiano a loro volta una valutazione NISP SP 800-171 pubblicata in SPRS.
- DFARS clause 252.204 – 7021. Appaltatori e subappaltatori devono disporre della appropriata certificazione CMMC da mantenere per tutta la durata del contratto.
DFAR Cybersecurity requirements timeline
