Press Release: HCRS Is Ready to Assist the 75% of Government Contractors That Are Not Cyber-Compliant - Healthcare Resolution Services

Celebrating 20 Years in Business

Contractor noncompliance concept: a link in a digital chain is broken and red, beside the statistic, "75%."

Press Release: HCRS Is Ready to Assist the 75% of Government Contractors That Are Not Cyber-Compliant

In an effort to protect Controlled Unclassified Information (CUI), the Department of Defense (DoD) has heightened its auditing and enforcement of cyber requirements for government contractors. According to FutureFeed, this comes in the wake of audits where 75 percent of contractors that self-attested as meeting all DoD requirements were shown to be in error.

What Does This Mean for Contractors?

Contractors with misreported scores face the loss of current or future contracts, as well as fines.

What Contractors Must Do Now

All contractors that want to partner with the federal government must perform self-assessments to verify their compliance with NIST SP 800-171. Those assessments include two key DFARS clauses: 7019, which acknowledges that the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), as well as other organizations, will audit these assessments; and 7020, which imposes these assessments and how they’re scored. Contractors’ scores must be submitted to the DoD’s Supplier Performance Risk System (SPRS) before they will be given consideration. Contractors must also maintain two (2) pieces of evidence for each of the 110 practices under NIST SP 800-171.

How Many Contractors Have Submitted Scores?

Currently, only a fourth of contractors that handle CUI have submitted scores — and, as previously noted, only a quarter of those submissions have been accurate. 

The Takeaway

The DoD is expected to release its final rulemaking for the Cybersecurity Maturity Model Certification (CMMC), the enforcement arm for DFARS 7019 and 7020. Companies should take the time now to confirm whether they truly meet NIST compliance and report their scores to SPRS. Low scores are not penalized, as contractors can establish Plans of Action and Milestones (POA&Ms) to fill any identified gaps, with the intent to implement those changes within 180 days of reporting. 

The Solution

Healthcare Resolution Services (HCRS) can assist organizations that need guidance on improving their scores. As a registered provider organization (RPO), they can identify which NIST requirements have not been met, and establish POA&Ms to fulfill them, prior to an actual audit by a CMMC Third-Party Assessment Organization (C3PAO).

Where to Start

Contractors can start their path to cyber excellence and NIST compliance by downloading HCRS’s complimentary ebook, Cybersecurity Checklist for All Business Owners. Click here to obtain a copy, or contact them for more information.

Subscribe to our blog