DFAR 7012 or 7020

[RJT]

A good customer is asking if we are willing to become compliant with these regulations. Looking for anyone (small business) who has gone through this and willing to share some insight. From what I'm reading, looks like a lot of cyber / IT conformance . Wondering if this is something we could do ourselves or we would need outside consultant / contractor?

 

[DanielG]

First big question: Do they want you to be compliant because they're required to flow down the DFARS clause, or do you actually need to work with CUI?

 

[RJT]

Both. I have completed a SSP and am working on getting it tested. Not entirely clear how that happens, or if I can self test it. I've been told that if it tests with a high enough score, I can be classified compliant. Lots of hoops to jump through and a ton of stuff to read through.

 

[broke]

We did this a few years ago at a customers request. The letters keep changing and it's hard for me to keep up to date with what we are calling it now but it is essentially computer security and how to handle CUI. We convinced our customer to pick up the tab for the audit which was like 25k. They checked building security as well as our network security.

We hired a consultant at $500 per month to keep everything up to date and sort through the BS associated with it. We were able to keep things pretty low key by using encrypted USB devices and air gapped computers and machines.

Good luck to you.

 

[RJT]

I spent about 30 hours on this, and was able to get it done. Very cumbersome. Several calls to .gov help desks and they were surprisingly very helpful. Major problem was I didn't know the right questions to ask. Had to initiate several new security procedures, but no other way keep doing defense work.

Sent from my motorola one 5G UW using Tapatalk