In the event the contractor does not have the DFARS clause 252.204-7020 in their current contract, the memo advises contracting officers to negotiate bilateral modifications to incorporate the clause.ģ. issued prior to Novemwould not contain this clause and the memo suggests two alternative methods to enforce compliance.Ģ. The 7020 clause should be present in all subsequent solicitations, contracts, task orders, or delivery orders since, except for those dealing with the acquisition of commercial off the shelf products. The memo reminds its readers that the 252.204-7020 clause took effect on Novemthrough DFARS interim rule 2019-D041. Terminating the contract in part or in whole In the last 30 days, we can confirm that DIBCAC has started conducting Medium Assessments and they are only allowing 120 days for remediation of controls self-assessed as met but identified as insufficient by their Medium Assessment.ĭoD considers failure to make progress on a plan to implement NIST SP 800-171 requirements as a “material breach” of contract requirements and this memo lists remedies for such a breach as: In short, when a contracting officer initiates a medium or high assessment, DIBCAC will request a copy of the contractor’s System Security Plan (SSP) and they expect to receive it within 5 business days. Verification, examination, and demonstration of a Contractor’s system security plan to validate the implementation of NIST SP 800-171 security requirements The Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800–171 DoD Assessment, as described in NIST SP 800–171 DoD Assessment Methodology at Strategically Assessing Contractor Implementation of NIST SP 800-171, if necessary.”Ī review of the contractor’s self assessment of NIST SP 800-171Ī thorough document review (of the System Security Plan)ĭiscussions with the contractor to obtain additional information It builds on the prerequisite Registered Practitioner foundation. The classes were typically one week of virtual or in-person instruction at a cost of around $2k to $4k per person.Įarly birds who took the training still have to wait until October 2022 to take the exam before they can receive the CCP credentials.īut now the CyberAB has introduced a path that would steer consultants away from CCP by offering Registered Practitioner Advanced (RPA) training. These courses, provided by Licensed Training Providers (LTPs), started at the end of 2021. Many of them have already registered for and taken the Certified CMMC Professional (CCP) training. This includes both consultants and assessors. There are individuals who want to learn how assessors will evaluate the implementation of these controls. There was no required background knowledge of cybersecurity required to pass the quizzes and there was no training on how to implement NIST SP 800-171 controls. To be a Registered Practitioner (RP) today, an individual must pay $575, undergo a background check and pass a series of quizzes following 5 hours of online training. One for consultants and one for assessors. The CyberAB has always advocated for two paths for individuals performing services in the ecosystem. Specifically in the consultant, assessor and training silos of the ecosystem. The announcement of the new Advanced Registered Practitioner badge ruffled a lot of feathers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |