CYBERSECURITY UPDATE:
In the current landscape, small businesses must adhere to essential cybersecurity requirements outlined in DFARS 7012, 7019, and 7020. These clauses, integral to solicitations containing Controlled Unclassified Information (CUI), mandate that applying vendors possess a System Security Plan (SSP), a Program of Actions and Milestones (POAM), and have completed a self-assessment encompassing 17 Fields and 110 Requirements. The scored self-assessment results must be uploaded into the Department of Defense’s Supplier Performance Risk System (SPRS) for eligibility to bid on the solicitation.
The Cybersecurity Maturity Model Certification (CMMC) has evolved into CMMC 2.0, currently open for public comment before its anticipated inclusion in the Federal Acquisition Regulation (FAR) later this year. CMMC 2.0 introduces three levels, with Level 1 serving as the foundational tier, addressing Federal Contract Information (FCI) protection for both prime and sub-vendors.
This article focuses on the CMMC Level 1 requirements. Level 1 necessitates a self-assessment across 6 Fields and 17 Requirements. Although an SSP is not mandatory at this level, any identified deficiencies in the self-assessment require a POAM to articulate the timeline for achieving full compliance.
It’s crucial to recognize that while initially a Department of Defense (DoD) initiative, it’s reasonable to anticipate CMMC Level 1 compliance becoming a requirement for all federal acquisitions in the near future. These 17 requirements encompass fundamental steps applicable to any small business, offering protection against cyber invasions from any source, not limited to foreign powers undermining national security.
While implementing CMMC Level 1 may demand effort and incur costs for small businesses, the potential aftermath of a cyber invasion can be financially devastating. Reports indicate that 43% of all cyberattacks target small businesses, with a mere 28% having plans to mitigate such threats. Alarmingly, 74% of small business breaches stem from human error, yet only 14% carry insurance coverage against cyber attacks. The financial toll of recovering from a cyber attack spans a wide range, from $826 to $653,000, potentially leading to the closure of the affected small business.
For further insights and detailed information, consider reaching out to your local Idaho APEX Accelerator counselor. Additionally, explore ProjectSpectrum.io and other links below for valuable free resources to enhance your understanding of cybersecurity measures.
-Lee Velten
Senior Analyst
Idaho APEX Accelerator