DFARS 252.204-7012 initially allowed companies to self-attest that they met DoD minimum cybersecurity requirements in alignment with NIST SP 800-171 (Rev 2). However, in November 2020, DFARS252.204-7019 and DFARS 252.204-7020 were introduced to ensure more accurate reporting of cyber security compliance. These new requirements provided a higher confidence level that companies submitted more accurate information about their cybersecurity compliance to the DOD. To comply, companies must maintain a system security plan (SSP) and a plan of action and milestones(POAM) for addressing any deficiencies. These additional DFARS requirements include entering a Supplier Performance Risk System (SPRS) score in the Procurement Integrated Enterprise Environment (PIEE). This is a legal requirement for a defense industrial base (DIB) company to be able to handle controlled unclassified information (CUI) when doing business with the DOD, DOD suppliers and/or space applications.
FluxWorks had already secured multiple Small Business Innovation Research (SBIR) contracts and was aiming to expand into larger contracts and obtain follow on funding. However, a significant obstacle was meeting the requirements of all applicable DFARS. To address this challenge, FluxWorks proactively reached out to TMAC, part of the MEP National Network™, for assistance.
Working with TMAC jump-started our journey toward full NIST SP 800-171 compliance. Their initial gap assessment established a strong baseline and ensured we were well-prepared when engaging a third-party company to implement our cybersecurity policies and controls. Additionally, TMAC has been instrumental in planning and executing our new 9,000-square-foot facility, which will create new jobs and manufacturing opportunities in Conroe, TX.