Cybersecurity Compliance and Risk Assessment

Cybersecurity Compliance and Risk Assessment

Purpose: Introduces the concept of a common Cybersecurity Compliance and Risk Assessment (CCRA) for the Defense Industrial Base CCRA Announcement Letter

The CCRA concept allows suppliers to complete ONE assessment which would be accepted on a reciprocal basis by DoD Prime contractors, or other companies who recognize the CCRA.  This will introduce efficiencies and cost savings in contrast to current practices. As suppliers have observed, while the regulatory requirements for cybersecurity continue to grow and evolve, companies have resorted to developing proprietary assessments or using outdated questionnaires to capture compliance and risk information. This approach has introduced a significant burden to suppliers that are required to provide unique responses to assessment tools containing varying numbers of security requirements and inconsistent language.

The transition to the CCRA will introduce a consistent approach for acquiring cybersecurity compliance and risk information, introduce a reduced set of required responses, and introduce the efficiency of answering once and sharing with many who recognize the reciprocal value of the CCRA.

Submit Feedback
What is driving the change?
The primary drivers for this change include feedback from our suppliers who seek reduced administrative burden in documenting cybersecurity and risk information, coupled with supplier concern about meeting the DoD’s compliance requirements.  To address suppliers’ input, the Defense Industrial Base (DIB) Sector Coordinating Council (SCC) Supply Chain Cybersecurity Task Force (SCCTF) created the CCRA Working Group to develop the CCRA as a common set of security requirements integrated into a single concise format to measure both risk and compliance.
What is the Cybersecurity Compliance and Risk Assessment?
The current version of the CCRA contains a maximum of 60 total questions and security requirements in a macro-enabled Excel file format. The file adjusts the number of required questions and security requirements based on responses in the compliance section of the CCRA. The risk assessment section is a subset of NIST SP 800-171 Rev 2 security requirements to ensure the protection of sensitive information. The CCRA is intended to be an industry-agnostic tool that will enable any company, regardless of size or scope, to effectively capture a baseline risk assessment for entities where sensitive data is shared. It should be noted, however, that completing the CCRA does not waive, or substitute for any DoD-required assessments, or imply approval to host or process controlled unclassified information (CUI).
When will the CCRA be available?

The assessment will be available for download below beginning December 14, 2023.

CCRA Deployment
Member companies who are part of the DIB SCC CCRA Working Group will begin piloting the use of the CCRA following this general announcement. The organizations that will pilot the CCRA are listed below:

Company Name Website
ND-ISAC – CCRA Working Group https://ndisac.org/
Lockheed Martin https://www.lockheedmartin.com
Boeing Company https://www.boeing.com/
Leidos, Inc. https://www.leidos.com/
RTX https://www.rtx.com/
Booz Allen Hamilton https://www.boozallen.com/
Centurum, Inc. https://www.centurum.com/
Frontgrade https://frontgrade.com/
Win-Tech https://win-tech.net/
Northrop Grumman https://www.northropgrumman.com/
L3Harris https://www.l3harris.com/
BAE Systems https://www.baesystems.com/en/home
Huntington Ingalls Industries https://hii.com/
Accenture Federal Services https://www.accenture.com/
Rolls Royce https://www.rolls-royce.com/

The Cybersecurity Compliance and Risk Assessment (.xlsm) can be downloaded below:
Version: 1.02

Download CCRA Now


Check Sum:

MD5: 80AEB0571FAB85AF97BAB70D029CBCA1
SHA256: 256E1810443FAF57FFE13EAD6236EA845196EEC33FD35F729F6511D363A644C0

Information on how to perform a checksum can be found at Microsoft Support.

This content was developed by subject matter experts of Member Companies of the Defense Industrial Base Sector Coordinating Council (DIB SCC) Supply Chain Cybersecurity Task Force and its working group for Common Cybersecurity Compliance and Risk Assessment (CCRA). This content is provided with the assistance of the National Defense Information Sharing and Analysis Center (ND-ISAC) and is intended to assist and inform small and medium-sized businesses (SMBs) in assessing cybersecurity risk and compliance of their suppliers. This content is provided at no cost and is based on good faith analyses of best practices in cybersecurity compliance and risk assessment.

THIS CONTENT IS EXPRESSLY PROVIDED “AS IS.” NEITHER THE DIB SCC CCRA WORKING GROUP NOR ND-ISAC MAKE WARRANTY OF ANY KIND, EXPRESSED, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NEITHER THE DIB SCC CCRA WORKING GROUP NOR ND-ISAC REPRESENTS NOR WARRANTS THAT THE OPERATION OF THIS CONTENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NEITHER THE DIB SCC CCRA WORKING GROUP NOR ND-ISAC WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THIS CONTENT OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE CONTENT.

You are solely responsible for determining the appropriateness of using this content and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This content is not intended to be used in any situation where a failure could cause risk of injury or damage to property. Furthermore, the use of this content does not alleviate any obligation you may have to comply with any contractual or legal requirements, e.g. DFARS 252.204-7012.

Any actions or implementations based on this content are entirely at the user’s risk and with no implied warranty or guarantee; or liability to ND-ISAC or Member Company participants of the ND-ISAC or the DIB SCC. Any questions or issues with the CCRA tool should be referred to the DIB SCC CCRA Team at ccra@ndisac.org.

What is the Cybersecurity Compliance and Risk Assessment (CCRA) and why do we need to complete this survey?
The Cybersecurity Compliance and Risk Assessment (CCRA) was developed by the Defense Industrial Base Sector Coordinating Council (DIB SCC) Supply Chain Task Force to drive a common set of cybersecurity requirements that both document compliance and measure risk. It’s intended to reduce the burden on our suppliers, currently being assessed against multiple standards and in varied formats (often with overly complex and outdated cyber requirements).
Where can I find the latest version of the CCRA?
The latest version of the CCRA can be found on the ND-ISAC CyberAssist website located here.
Where should users be directed if they need technical support/general questions?
Please contact the requesting organizations for support/general questions.
Feedback on the CCRA’s content can be submitted using the CCRA Feedback Form.
Can the Cybersecurity Compliance and Risk Assessment (CCRA) be used across different prime contractors?
Starting December 14, 2023, the CCRA will begin to be adopted by members of the Defense Industrial Base Sector Coordinating Council (DIB SCC) which include Lockheed Martin, Accenture Federal Services, BAE Systems, Booz Allen Hamilton, Boeing, Centurum, Frontgrade Technologies, HII, L3Harris, Leidos, Northrop Grumman, RTX, Rolls Royce, and Win-Tech. We encourage members of the DIB supply chain to utilize the CCRA to assess the cybersecurity compliance and risk of their suppliers.

Note: Each organization will begin piloting use of the CCRA following this general announcement. Please contact the requesting organization for additional information.

How will the CCRA be used and how is the information I put into the form secured?
The use of the CCRA will vary from organization to organization. The CCRA is being made available through the DIB SCC CyberAssist site in an macro-enabled format for ease of access and use, with the ability to share assessment results via an exportable CSV format. Suppliers using the Excel version will maintain exclusive control over whom they share it with.

It will also be implemented in web-based formats, like Exostar Onboarding Module (OBM) or OneTrust, where suppliers can select the organizations they want to share it with. Please contact the requesting organization for more information on how the response to the CCRA will be used.

I do not receive CUI/CDI. Why do I need to complete the CCRA to show that I’m compliant with NIST 800-171 controls?
The CCRA is used to assess both Cyber Compliance and Risk. The CCRA is built on a set of Scoping Questions that will dynamically add/remove questions from the survey based on the response provided. The Scoping Questions will identify the type of information (i.e., Federal Contract Information (FCI), Controlled Unclassified Information (CUI), Covered Defense Information (CDI), or other customer-defined Sensitive Information), the supplier possesses, processes, transmits, and/or stores; and highlight other key risk factors such as when Information & Communication Technology (ICT) is being provided by the supplier. It will align them to a set of questions that will help us understand a supplier’s compliance and risk posture.
Why were only a subset of security controls used in the CCRA? What was the reasoning behind the control selection?
The objective of the working group was to develop a single questionnaire that enabled a company to collect compliance information and establish a baseline risk assessment. The current 31 controls were selected with the priority of asking as few questions as possible to gain a high-level understanding of where significant gaps may be present in a supplier’s cyber posture. The 31 currently included on the common questionnaire are focused on identifying where there may be significant gaps.
Since the form is in an excel macro-enabled format (.xlsm), how can I be assured that it is safe to open?
Ensure that you download the CCRA from the ND-ISAC CyberAssist website located here.

You can calculate the checksum (hash) of the downloaded file using several options:
1. Navigate to the extracted file. Right-click on the file and select the “CRC SHA” option. Then select “SHA-256”. Then use the prompt with the checksum information to verify you have the same value as what’s provided on the CyberAssist site.

2. If the above doesn’t work, open a Windows Powershell prompt and use the command “Get-FileHash <filename>”, where <filename> is the sample. For more details, see: Get File Hash with PowerShell

How does the survey help represent my compliance with the Cyber DFARS requirements?
The survey has a set of scoping questions that identify the type of sensitive information you possess. If Controlled Unclassified Information (CUI) and DFARS 252.204-7012 are applicable, you will be asked for the status of your implementation of the NIST SP 800-171 security requirements. To be compliant with DFARS 7012, you must attest that all 110 NIST cybersecurity controls are implemented OR for controls not implemented, the supplier must have a documented Plan of Action and Milestone (POAM) in your System Security Plan (SSP).

If DFARS 252.204-7020 is applicable, you will be asked for the status of your Supplier Performance Risk System (SPRS) submission. To be compliant with DFARS 7020, the supplier’s NIST Assessment results (performed within the prior 3-year period) must be posted to the DoD SPRS.

The CCRA will ask for the status of your compliance with these requirements with a few high-level questions. It should be noted, however, that completing the CCRA does not waive, or substitute for any DoD-required assessments, or imply approval to host or process controlled unclassified information (CUI).

How does the CCRA calculate and assess the risk rating?
Cyber Risk is measured based on the responses to the Security Controls. In total, there are (31) Security Controls; (11) Category 1, (10) Category 2, (10) Category 3. Based on the response to the Cyber Security controls, a user will be given a Cyber Risk Rating of Negligible, Moderate, Significant.

The following rules are applied for calculating Cyber Risk:

  • Negligible = All Category 1, 2, and 3 controls are implemented
  • Moderate= All Category 1 implemented AND > 1 Category 2 or 3 implemented
  • Significant = Less than 11 Category 1 implemented.

For Suppliers receiving only FCI and no other customer-sensitive or Controlled data types, the following rules are applied:

  • FCI- only suppliers = Negligible if all 6 FCI security controls are implemented or else Significant.
    ** The subset of FCI security controls is highlighted Yellow on the “Questionnaire”
What does the risk ratings represent?
The following are the rules and description for each of the Cyber Rating:

  • Negligible = (All Category 1, 2, and 3 controls are implemented)
    • Negligible to minimal risks are identified based on the response provided. The supplier has a strong performing cyber risk management program.
  • Moderate = (All Category 1 implemented AND > 1 Category 2 or 3 implemented)
    • Minimal to moderate risks are identified based on the response provided. The supplier has a Cyber risk management program with good protections in place, but additional risk mitigations are likely required to protect Sensitive Information and/or Government/DOD Controlled Unclassified Information (CUI).
  • Significant = (Less than 11 Category 1 implemented)
    • Moderate to significant risks are identified based on the response provided. The supplier has minimal or no cyber risk management program and significant cyber protections are lacking.
Can the offline version of the CCRA be uploaded into Exostar or other “buyer” organization’s supply chain risk management systems/platforms?
The intent of the offline Excel version of the CCRA is to provide flexibility for DIB suppliers to use the form across multiple platforms and partners. As the form is adopted, organizations like Exostar will or already have developed solutions to enable the upload or acceptance of the CCRA into their systems. Please contact your requesting organizations for details on how it should be submitted.

Note that the CCRA has a built-in capability to enable the export of the responses to a comma-separated value (.csv) file that may be used to upload across multiple platforms.

I don’t possess, manage, or generate Controlled Unclassified Information (CUI) and DFARS 252.204-7012 does not apply to me. Why do I have to complete the CCRA?
The scope of the CCRA is not limited to CUI and DFARS 252.204-7012 requirements. For suppliers where DFARS/CUI is not applicable but they store, process, or transmit other types of customer-defined Sensitive Information (i.e., Proprietary Information, Export Controlled Information, Personal Identifiable Information, Business Confidential, etc.,) or Information & Communication Technology (ICT), there is a need to assess Cyber Risk and the supplier’s ability to safeguard the data that is entrusted to them.
Will completing the CCRA satisfy the requirements to be compliant with DFARS 252.204-7012, DFARS 252.204-7020 and/or CMMC?
No. The CCRA only captures the supplier’s attestation that the DFARS 252.204-7012 and DFARS 252.204-7020 requirements are met. Completing the survey will not make the supplier compliant with these requirements.

To be compliant with DFARS 7012, you must attest that all 110 NIST cybersecurity controls are implemented OR for controls not implemented, the supplier must have a documented Plan of Action and Milestone (POAM) in your System Security Plan (SSP).

To be compliant with DFARS 7020, the supplier’s NIST Assessment results (performed within the prior 3-year period) must be posted to the DoD SPRS.

How do I access and complete the CCRA?
Suppliers are encouraged to download and review the CCRA from the CyberAssist website. Submission of the CCRA will vary by requesting organization. Please contact your requesting organizations for details on how it should be submitted.
If organizations are implementing the CCRA in different systems and applications, how can I share my responses to the CCRA across the DIB.
Suppliers are encouraged to download and maintain a local version of the CCRA from the CyberAssist website. Once the form is completed, the user can “Validate & Export” the responses to a comma-separated value (.csv) file that can be emailed or uploaded to different systems and applications. Instructions on how to do this are provided within the CCRA.

Submission of the CCRA will vary by requesting organization. Please contact your requesting organizations for details on how it should be submitted.

What is the Onboarding Module (OBM)?
The OBM is Exostar’s solution for an electronic version of the CCRA. Requesting organizations that subscribe to this solution will prompt their suppliers to electronically fill out or upload the Excel version (with an exported .csv file) of the CCRA into OBM.
When will suppliers be expected to move off of the current NIST SP 800-171 and Cybersecurity Questionnaire (CSQ) that is hosted in Exostar Partner Information Manager (PIM)?
Suppliers that are currently using Exostar’s NIST SP 800-171 questionnaire and Cybersecurity Questionnaire (CSQ) will begin their transition to the CCRA as early as 1st Quarter of 2024. As their NIST/CSQ expires (1 year from the last submission), the suppliers will be prompted to transition to the CCRA on Exostar’s Onboarding Module (OBM).

Note: Each organization will begin piloting use of the CCRA following this general announcement. Please contact the requesting organization for additional information.

I recently completed the Cyber Security Questionnaire (CSQ) in Exostar. Do I now need to complete this new questionnaire?
Suppliers that are currently using the legacy Cybersecurity Questionnaire (CSQ) and NIST SP 800-171 Questionnaire (NIST) will be phased into the new CCRA as their questionnaires become expired (annual renewal) or upon request of the requesting organization.

Note: Each organization will begin piloting use of the CCRA following this general announcement. Please contact the requesting organization for additional information.

Will my answers from my previous assessment (CSQ) automatically pull over into this new assessment?
No, the new CCRA is much shorter (60 questions) and will significantly reduce the time it takes to complete over the legacy CSQ/NIST questionnaires.