{"id":13116,"date":"2023-08-29T14:50:44","date_gmt":"2023-08-29T19:50:44","guid":{"rendered":"https:\/\/ndisac.org\/dibscc\/?p=13116"},"modified":"2025-06-06T06:21:17","modified_gmt":"2025-06-06T11:21:17","slug":"cybersecurity-compliance-and-risk-assessment","status":"publish","type":"post","link":"https:\/\/ndisac.org\/dibscc\/cyberassist\/awareness\/cybersecurity-compliance-and-risk-assessment\/","title":{"rendered":"Cybersecurity Compliance and Risk Assessment"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”3.22″][et_pb_row _builder_version=”4.0.6″][et_pb_column type=”4_4″ _builder_version=”4.0.6″][et_pb_text admin_label=”Cybersecurity Compliance and Risk Assessment Intro” _builder_version=”4.9.2″ vertical_offset_tablet=”0″ horizontal_offset_tablet=”0″ z_index_tablet=”0″ text_text_shadow_horizontal_length_tablet=”0px” text_text_shadow_vertical_length_tablet=”0px” text_text_shadow_blur_strength_tablet=”1px” link_text_shadow_horizontal_length_tablet=”0px” link_text_shadow_vertical_length_tablet=”0px” link_text_shadow_blur_strength_tablet=”1px” ul_text_shadow_horizontal_length_tablet=”0px” ul_text_shadow_vertical_length_tablet=”0px” ul_text_shadow_blur_strength_tablet=”1px” ol_text_shadow_horizontal_length_tablet=”0px” ol_text_shadow_vertical_length_tablet=”0px” ol_text_shadow_blur_strength_tablet=”1px” quote_text_shadow_horizontal_length_tablet=”0px” quote_text_shadow_vertical_length_tablet=”0px” quote_text_shadow_blur_strength_tablet=”1px” header_text_shadow_horizontal_length_tablet=”0px” header_text_shadow_vertical_length_tablet=”0px” header_text_shadow_blur_strength_tablet=”1px” header_2_text_shadow_horizontal_length_tablet=”0px” header_2_text_shadow_vertical_length_tablet=”0px” header_2_text_shadow_blur_strength_tablet=”1px” header_3_text_shadow_horizontal_length_tablet=”0px” header_3_text_shadow_vertical_length_tablet=”0px” header_3_text_shadow_blur_strength_tablet=”1px” header_4_text_shadow_horizontal_length_tablet=”0px” header_4_text_shadow_vertical_length_tablet=”0px” header_4_text_shadow_blur_strength_tablet=”1px” header_5_text_shadow_horizontal_length_tablet=”0px” header_5_text_shadow_vertical_length_tablet=”0px” header_5_text_shadow_blur_strength_tablet=”1px” header_6_text_shadow_horizontal_length_tablet=”0px” header_6_text_shadow_vertical_length_tablet=”0px” header_6_text_shadow_blur_strength_tablet=”1px” box_shadow_horizontal_tablet=”0px” box_shadow_vertical_tablet=”0px” box_shadow_blur_tablet=”40px” box_shadow_spread_tablet=”0px”]<\/p>\n

Cybersecurity Compliance and Risk Assessment<\/h2>\n

Purpose:<\/strong> Introduces the concept of a common Cybersecurity Compliance and Risk Assessment (CCRA) for the Defense Industrial Base <\/strong>CCRA Announcement Letter<\/a><\/strong><\/p>\n

The CCRA concept allows suppliers to complete ONE assessment which would be accepted on a reciprocal basis by DoD Prime contractors, or other companies who recognize the CCRA.\u00a0 This will introduce efficiencies and cost savings in contrast to current practices. As suppliers have observed, while the regulatory requirements for cybersecurity continue to grow and evolve, companies have resorted to developing proprietary assessments or using outdated questionnaires to capture compliance and risk information. This approach has introduced a significant burden to suppliers that are required to provide unique responses to assessment tools containing varying numbers of security requirements and inconsistent language.<\/p>\n

The transition to the CCRA will introduce a consistent approach for acquiring cybersecurity compliance and risk information, introduce a reduced set of required responses, and introduce the efficiency of answering once and sharing with many who recognize the reciprocal value of the CCRA.[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.9.2″ _module_preset=”default”][et_pb_column type=”1_2″ _builder_version=”4.9.2″ _module_preset=”default”][et_pb_text admin_label=”Feedback Button” _builder_version=”4.9.2″ vertical_offset_tablet=”0″ horizontal_offset_tablet=”0″ custom_padding=”20px||20px|||” z_index_tablet=”0″ custom_css_main_element=”}||img {|| border-radius: 10px;” text_text_shadow_horizontal_length_tablet=”0px” text_text_shadow_vertical_length_tablet=”0px” text_text_shadow_blur_strength_tablet=”1px” link_text_shadow_horizontal_length_tablet=”0px” link_text_shadow_vertical_length_tablet=”0px” link_text_shadow_blur_strength_tablet=”1px” ul_text_shadow_horizontal_length_tablet=”0px” ul_text_shadow_vertical_length_tablet=”0px” ul_text_shadow_blur_strength_tablet=”1px” ol_text_shadow_horizontal_length_tablet=”0px” ol_text_shadow_vertical_length_tablet=”0px” ol_text_shadow_blur_strength_tablet=”1px” quote_text_shadow_horizontal_length_tablet=”0px” quote_text_shadow_vertical_length_tablet=”0px” quote_text_shadow_blur_strength_tablet=”1px” header_text_shadow_horizontal_length_tablet=”0px” header_text_shadow_vertical_length_tablet=”0px” header_text_shadow_blur_strength_tablet=”1px” header_2_text_shadow_horizontal_length_tablet=”0px” header_2_text_shadow_vertical_length_tablet=”0px” header_2_text_shadow_blur_strength_tablet=”1px” header_3_text_shadow_horizontal_length_tablet=”0px” header_3_text_shadow_vertical_length_tablet=”0px” header_3_text_shadow_blur_strength_tablet=”1px” header_4_text_shadow_horizontal_length_tablet=”0px” header_4_text_shadow_vertical_length_tablet=”0px” header_4_text_shadow_blur_strength_tablet=”1px” header_5_text_shadow_horizontal_length_tablet=”0px” header_5_text_shadow_vertical_length_tablet=”0px” header_5_text_shadow_blur_strength_tablet=”1px” header_6_text_shadow_horizontal_length_tablet=”0px” header_6_text_shadow_vertical_length_tablet=”0px” header_6_text_shadow_blur_strength_tablet=”1px” box_shadow_horizontal_tablet=”0px” box_shadow_vertical_tablet=”0px” box_shadow_blur_tablet=”40px” box_shadow_spread_tablet=”0px”]\"Submit<\/a>[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.9.2″ _module_preset=”default”][et_pb_code raw_content_tablet=”” raw_content_phone=”” raw_content_last_edited=”on|desktop” admin_label=”Newsletter Subscription” _builder_version=”4.9.2″ _module_preset=”default” width=”100%” min_height=”36px” custom_margin=”-13px|||||” custom_padding=”37px||0px|2px||” custom_css_main_element=”}||.tnp-field-email {|| width: 73%;|| box-sizing: border-box;|| vertical-align: middle;||}||.tnp-field-button {|| width: 27%;|| margin-left:25%;||}||.tnp-field-button input.tnp-button {|| font-size: 14px;|| padding: 10px 30px;|| box-sizing: border-box;|| vertical-align: middle;|| background-color: #053c74;|| line-height: normal;|| text-shadow: 1px 1px 2px #000;||}||.tnp-field input%91type=%22submit%22%93 {|| position: inherit;||}||button, html input%91type=%22button%22%93, input%91type=%22reset%22%93, input%91type=%22submit%22%93 {|| -webkit-appearance: button;|| cursor: pointer;||}||button, button%91disabled%93:hover, button%91disabled%93:focus, input%91type=%22button%22%93, input%91type=%22button%22%93%91disabled%93:hover, input%91type=%22button%22%93%91disabled%93:focus, input%91type=%22reset%22%93, input%91type=%22reset%22%93%91disabled%93:hover, input%91type=%22reset%22%93%91disabled%93:focus, input%91type=%22submit%22%93, input%91type=%22submit%22%93%91disabled%93:hover, input%91type=%22submit%22%93%91disabled%93:focus {|| background: #071139;|| border: 0;|| border-radius: 2px;|| color: #fff;|| font-family: ‘Muli’, sans-serif;|| font-weight: 700;|| letter-spacing: 0.046875em;|| text-transform: uppercase;|| line-height: 1;|| padding: 0.846153846em;”]

\n\n
<\/div>\n
\n<\/div>\n<\/form>[\/et_pb_code][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.9.2″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.9.2″ _module_preset=”default”][et_pb_accordion icon_color=”#0c71c3″ admin_label=”Accordion: Change Questions” _builder_version=”4.9.2″ toggle_font=”|700|||||||” toggle_text_align=”left” toggle_font_size=”20px” vertical_offset_tablet=”0″ horizontal_offset_tablet=”0″ text_orientation=”left” custom_padding=”2px||2px|” hover_transition_duration=”100ms” hover_enabled=”0″ z_index_tablet=”0″ custom_css_toggle=”margin-bottom: 10px !important;” toggle_text_shadow_horizontal_length_tablet=”0px” toggle_text_shadow_vertical_length_tablet=”0px” toggle_text_shadow_blur_strength_tablet=”1px” closed_toggle_text_shadow_horizontal_length_tablet=”0px” closed_toggle_text_shadow_vertical_length_tablet=”0px” closed_toggle_text_shadow_blur_strength_tablet=”1px” body_text_shadow_horizontal_length_tablet=”0px” body_text_shadow_vertical_length_tablet=”0px” body_text_shadow_blur_strength_tablet=”1px” body_link_text_shadow_horizontal_length_tablet=”0px” body_link_text_shadow_vertical_length_tablet=”0px” body_link_text_shadow_blur_strength_tablet=”1px” body_ul_text_shadow_horizontal_length_tablet=”0px” body_ul_text_shadow_vertical_length_tablet=”0px” body_ul_text_shadow_blur_strength_tablet=”1px” body_ol_text_shadow_horizontal_length_tablet=”0px” body_ol_text_shadow_vertical_length_tablet=”0px” body_ol_text_shadow_blur_strength_tablet=”1px” body_quote_text_shadow_horizontal_length_tablet=”0px” body_quote_text_shadow_vertical_length_tablet=”0px” body_quote_text_shadow_blur_strength_tablet=”1px” box_shadow_horizontal_tablet=”0px” box_shadow_vertical_tablet=”0px” box_shadow_blur_tablet=”40px” box_shadow_spread_tablet=”0px” text_shadow_horizontal_length_tablet=”0px” text_shadow_vertical_length_tablet=”0px” text_shadow_blur_strength_tablet=”1px” sticky_enabled=”0″][et_pb_accordion_item title=”What is driving the change?” open=”on” title_tablet=”What is CDI\/CUI and how do I tell if my data is considered CDI\/CUI?” title_phone=”What is CDI\/CUI and how do I tell if my data is considered CDI\/CUI?” _builder_version=”4.9.2″ vertical_offset_tablet=”0″ vertical_offset_phone=”0″ horizontal_offset_tablet=”0″ horizontal_offset_phone=”0″ background_color_gradient_direction_tablet=”180deg” background_color_gradient_direction_phone=”180deg” background_color_gradient_start_position_tablet=”0%” background_color_gradient_start_position_phone=”0%” background_color_gradient_end_position_tablet=”100%” background_color_gradient_end_position_phone=”100%” z_index_tablet=”1″ z_index_phone=”1″ hover_transition_duration_tablet=”300ms” hover_transition_duration_phone=”300ms” hover_transition_delay_tablet=”0ms” hover_transition_delay_phone=”0ms” body_text_shadow_horizontal_length_tablet=”0px” body_text_shadow_horizontal_length_phone=”0px” body_text_shadow_vertical_length_tablet=”0px” body_text_shadow_vertical_length_phone=”0px” body_text_shadow_blur_strength_tablet=”1px” body_text_shadow_blur_strength_phone=”1px” body_link_text_shadow_horizontal_length_tablet=”0px” body_link_text_shadow_horizontal_length_phone=”0px” body_link_text_shadow_vertical_length_tablet=”0px” body_link_text_shadow_vertical_length_phone=”0px” body_link_text_shadow_blur_strength_tablet=”1px” body_link_text_shadow_blur_strength_phone=”1px” body_ul_text_shadow_horizontal_length_tablet=”0px” body_ul_text_shadow_horizontal_length_phone=”0px” body_ul_text_shadow_vertical_length_tablet=”0px” body_ul_text_shadow_vertical_length_phone=”0px” body_ul_text_shadow_blur_strength_tablet=”1px” body_ul_text_shadow_blur_strength_phone=”1px” body_ol_text_shadow_horizontal_length_tablet=”0px” body_ol_text_shadow_horizontal_length_phone=”0px” body_ol_text_shadow_vertical_length_tablet=”0px” body_ol_text_shadow_vertical_length_phone=”0px” body_ol_text_shadow_blur_strength_tablet=”1px” body_ol_text_shadow_blur_strength_phone=”1px” body_quote_text_shadow_horizontal_length_tablet=”0px” body_quote_text_shadow_horizontal_length_phone=”0px” body_quote_text_shadow_vertical_length_tablet=”0px” body_quote_text_shadow_vertical_length_phone=”0px” body_quote_text_shadow_blur_strength_tablet=”1px” body_quote_text_shadow_blur_strength_phone=”1px” box_shadow_horizontal_tablet=”0px” box_shadow_horizontal_phone=”0px” box_shadow_vertical_tablet=”0px” box_shadow_vertical_phone=”0px” box_shadow_blur_tablet=”40px” box_shadow_blur_phone=”40px” box_shadow_spread_tablet=”0px” box_shadow_spread_phone=”0px” text_shadow_horizontal_length_tablet=”0px” text_shadow_horizontal_length_phone=”0px” text_shadow_vertical_length_tablet=”0px” text_shadow_vertical_length_phone=”0px” text_shadow_blur_strength_tablet=”1px” text_shadow_blur_strength_phone=”1px” toggle_text_shadow_horizontal_length_tablet=”0px” toggle_text_shadow_horizontal_length_phone=”0px” toggle_text_shadow_vertical_length_tablet=”0px” toggle_text_shadow_vertical_length_phone=”0px” toggle_text_shadow_blur_strength_tablet=”1px” toggle_text_shadow_blur_strength_phone=”1px” closed_toggle_text_shadow_horizontal_length_tablet=”0px” closed_toggle_text_shadow_horizontal_length_phone=”0px” closed_toggle_text_shadow_vertical_length_tablet=”0px” closed_toggle_text_shadow_vertical_length_phone=”0px” closed_toggle_text_shadow_blur_strength_tablet=”1px” closed_toggle_text_shadow_blur_strength_phone=”1px”]The primary drivers for this change include feedback from our suppliers who seek reduced administrative burden in documenting cybersecurity and risk information, coupled with supplier concern about meeting the DoD’s compliance requirements.\u00a0 To address suppliers’ input, the Defense Industrial Base (DIB) Sector Coordinating Council (SCC) Supply Chain Cybersecurity Task Force (SCCTF) created the CCRA Working Group to develop the CCRA as a common set of security requirements integrated into a single concise format to measure both risk and compliance.[\/et_pb_accordion_item][et_pb_accordion_item title=”What is the Cybersecurity Compliance and Risk Assessment?” title_tablet=”Who is considered a US Person or a Non-US Person?” title_phone=”Who is considered a US Person or a Non-US Person?” _builder_version=”4.9.2″ vertical_offset_tablet=”0″ vertical_offset_phone=”0″ horizontal_offset_tablet=”0″ horizontal_offset_phone=”0″ background_color_gradient_direction_tablet=”180deg” background_color_gradient_direction_phone=”180deg” background_color_gradient_start_position_tablet=”0%” background_color_gradient_start_position_phone=”0%” background_color_gradient_end_position_tablet=”100%” background_color_gradient_end_position_phone=”100%” z_index_tablet=”1″ z_index_phone=”1″ hover_transition_duration_tablet=”300ms” hover_transition_duration_phone=”300ms” hover_transition_delay_tablet=”0ms” hover_transition_delay_phone=”0ms” body_text_shadow_horizontal_length_tablet=”0px” body_text_shadow_horizontal_length_phone=”0px” body_text_shadow_vertical_length_tablet=”0px” body_text_shadow_vertical_length_phone=”0px” body_text_shadow_blur_strength_tablet=”1px” body_text_shadow_blur_strength_phone=”1px” body_link_text_shadow_horizontal_length_tablet=”0px” body_link_text_shadow_horizontal_length_phone=”0px” body_link_text_shadow_vertical_length_tablet=”0px” body_link_text_shadow_vertical_length_phone=”0px” body_link_text_shadow_blur_strength_tablet=”1px” body_link_text_shadow_blur_strength_phone=”1px” body_ul_text_shadow_horizontal_length_tablet=”0px” body_ul_text_shadow_horizontal_length_phone=”0px” body_ul_text_shadow_vertical_length_tablet=”0px” body_ul_text_shadow_vertical_length_phone=”0px” body_ul_text_shadow_blur_strength_tablet=”1px” body_ul_text_shadow_blur_strength_phone=”1px” body_ol_text_shadow_horizontal_length_tablet=”0px” body_ol_text_shadow_horizontal_length_phone=”0px” body_ol_text_shadow_vertical_length_tablet=”0px” body_ol_text_shadow_vertical_length_phone=”0px” body_ol_text_shadow_blur_strength_tablet=”1px” body_ol_text_shadow_blur_strength_phone=”1px” body_quote_text_shadow_horizontal_length_tablet=”0px” body_quote_text_shadow_horizontal_length_phone=”0px” body_quote_text_shadow_vertical_length_tablet=”0px” body_quote_text_shadow_vertical_length_phone=”0px” body_quote_text_shadow_blur_strength_tablet=”1px” body_quote_text_shadow_blur_strength_phone=”1px” box_shadow_horizontal_tablet=”0px” box_shadow_horizontal_phone=”0px” box_shadow_vertical_tablet=”0px” box_shadow_vertical_phone=”0px” box_shadow_blur_tablet=”40px” box_shadow_blur_phone=”40px” box_shadow_spread_tablet=”0px” box_shadow_spread_phone=”0px” text_shadow_horizontal_length_tablet=”0px” text_shadow_horizontal_length_phone=”0px” text_shadow_vertical_length_tablet=”0px” text_shadow_vertical_length_phone=”0px” text_shadow_blur_strength_tablet=”1px” text_shadow_blur_strength_phone=”1px” toggle_text_shadow_horizontal_length_tablet=”0px” toggle_text_shadow_horizontal_length_phone=”0px” toggle_text_shadow_vertical_length_tablet=”0px” toggle_text_shadow_vertical_length_phone=”0px” toggle_text_shadow_blur_strength_tablet=”1px” toggle_text_shadow_blur_strength_phone=”1px” closed_toggle_text_shadow_horizontal_length_tablet=”0px” closed_toggle_text_shadow_horizontal_length_phone=”0px” closed_toggle_text_shadow_vertical_length_tablet=”0px” closed_toggle_text_shadow_vertical_length_phone=”0px” closed_toggle_text_shadow_blur_strength_tablet=”1px” closed_toggle_text_shadow_blur_strength_phone=”1px” open=”off”]The current version of the CCRA contains a maximum of 60 total questions and security requirements in a macro-enabled Excel file format. The file adjusts the number of required questions and security requirements based on responses in the compliance section of the CCRA. The risk assessment section is a subset of NIST SP 800-171 Rev 2<\/a> security requirements to ensure the protection of sensitive information. The CCRA is intended to be an industry-agnostic tool that will enable any company, regardless of size or scope, to effectively capture a baseline risk assessment for entities where sensitive data is shared. It should be noted, however, that completing the CCRA does not waive, or substitute for any DoD-required assessments, or imply approval to host or process controlled unclassified information (CUI).[\/et_pb_accordion_item][et_pb_accordion_item title=”CCRA Deployment ” _builder_version=”4.9.2″ _module_preset=”default” open=”off”]Member companies who are part of the DIB SCC CCRA Working Group will begin piloting the use of the CCRA following this general announcement. The organizations that will pilot the CCRA are listed below:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Company Name<\/strong><\/td>\nWebsite<\/strong><\/td>\n<\/tr>\n
ND-ISAC – CCRA Working Group<\/td>\nhttps:\/\/ndisac.org\/<\/a><\/td>\n<\/tr>\n
Lockheed Martin<\/td>\nhttps:\/\/www.lockheedmartin.com<\/a><\/td>\n<\/tr>\n
Boeing Company<\/td>\nhttps:\/\/www.boeing.com\/<\/a><\/td>\n<\/tr>\n
Leidos, Inc.<\/td>\nhttps:\/\/www.leidos.com\/<\/a><\/td>\n<\/tr>\n
RTX<\/td>\nhttps:\/\/www.rtx.com\/<\/a><\/td>\n<\/tr>\n
Booz Allen Hamilton<\/td>\nhttps:\/\/www.boozallen.com\/<\/a><\/td>\n<\/tr>\n
Centurum, Inc.<\/td>\nhttps:\/\/www.centurum.com\/<\/a><\/td>\n<\/tr>\n
Frontgrade<\/td>\nhttps:\/\/frontgrade.com\/<\/a><\/td>\n<\/tr>\n
Win-Tech<\/td>\nhttps:\/\/win-tech.net\/<\/a><\/td>\n<\/tr>\n
Northrop Grumman<\/td>\nhttps:\/\/www.northropgrumman.com\/<\/a><\/td>\n<\/tr>\n
L3Harris<\/td>\nhttps:\/\/www.l3harris.com\/<\/a><\/td>\n<\/tr>\n
BAE Systems<\/td>\nhttps:\/\/www.baesystems.com\/en\/home<\/a><\/td>\n<\/tr>\n
Huntington Ingalls Industries<\/td>\nhttps:\/\/hii.com\/<\/a><\/td>\n<\/tr>\n
Accenture Federal Services<\/td>\nhttps:\/\/www.accenture.com\/<\/a><\/td>\n<\/tr>\n
Rolls Royce<\/td>\nhttps:\/\/www.rolls-royce.com\/<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

[\/et_pb_accordion_item][\/et_pb_accordion][et_pb_tabs admin_label=”Tabs: Download and FAQ” _builder_version=”4.9.2″ _module_preset=”default”][et_pb_tab title=”Download” _builder_version=”4.9.2″ _module_preset=”default”]<\/p>\n

The Cybersecurity Compliance and Risk Assessment (.xlsm) can be downloaded below:
Version: 1.03<\/p>\n

Download CCRA Now<\/strong><\/a><\/h3>\n


Check Sum:<\/strong>
MD5: EF2841C4CE09733AFB0159D8724454CB
SHA256: 41236A5B02AD907F041DBCB105F282CBAC829CFDA6C6EC796F30FDBCE14AB417<\/p>\n

Information on how to perform a checksum can be found at Microsoft Support.<\/a><\/p>\n

\n

This content was developed by subject matter experts of Member Companies of the Defense Industrial Base Sector Coordinating Council (DIB SCC) Supply Chain Cybersecurity Task Force and its working group for Common Cybersecurity Compliance and Risk Assessment (CCRA). This content is provided with the assistance of the National Defense Information Sharing and Analysis Center (ND-ISAC) and is intended to assist and inform small and medium-sized businesses (SMBs) in assessing cybersecurity risk and compliance of their suppliers. This content is provided at no cost and is based on good faith analyses of best practices in cybersecurity compliance and risk assessment.<\/p>\n

THIS CONTENT IS EXPRESSLY PROVIDED “AS IS.” NEITHER THE DIB SCC CCRA WORKING GROUP NOR ND-ISAC MAKE WARRANTY OF ANY KIND, EXPRESSED, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NEITHER THE DIB SCC CCRA WORKING GROUP NOR ND-ISAC REPRESENTS NOR WARRANTS THAT THE OPERATION OF THIS CONTENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NEITHER THE DIB SCC CCRA WORKING GROUP NOR ND-ISAC WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THIS CONTENT OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE CONTENT.<\/p>\n

You are solely responsible for determining the appropriateness of using this content and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This content is not intended to be used in any situation where a failure could cause risk of injury or damage to property. Furthermore, the use of this content does not alleviate any obligation you may have to comply with any contractual or legal requirements, e.g. DFARS 252.204-7012.<\/p>\n

Any actions or implementations based on this content are entirely at the user’s risk and with no implied warranty or guarantee; or liability to ND-ISAC or Member Company participants of the ND-ISAC or the DIB SCC. Any questions or issues with the CCRA tool should be referred to the DIB SCC CCRA Team at ccra@ndisac.org<\/a>.<\/p>\n<\/blockquote>\n

[\/et_pb_tab][et_pb_tab title=”Frequently Asked Questions” _builder_version=”4.9.2″ _module_preset=”default”][et_pb_accordion icon_color=”#0c71c3″ _builder_version=”4.9.2″ custom_padding=”2px||2px|” toggle_font=”|700|||||||” toggle_text_align=”left” toggle_font_size=”20px” vertical_offset_tablet=”0″ horizontal_offset_tablet=”0″ text_orientation=”left” custom_padding=”2px||2px|” hover_transition_duration=”100ms” z_index_tablet=”0″ custom_css_toggle=”margin-bottom: 10px !important;” toggle_text_shadow_horizontal_length_tablet=”0px” toggle_text_shadow_vertical_length_tablet=”0px” toggle_text_shadow_blur_strength_tablet=”1px” closed_toggle_text_shadow_horizontal_length_tablet=”0px” closed_toggle_text_shadow_vertical_length_tablet=”0px” closed_toggle_text_shadow_blur_strength_tablet=”1px” body_text_shadow_horizontal_length_tablet=”0px” body_text_shadow_vertical_length_tablet=”0px” body_text_shadow_blur_strength_tablet=”1px” body_link_text_shadow_horizontal_length_tablet=”0px” body_link_text_shadow_vertical_length_tablet=”0px” body_link_text_shadow_blur_strength_tablet=”1px” body_ul_text_shadow_horizontal_length_tablet=”0px” body_ul_text_shadow_vertical_length_tablet=”0px” body_ul_text_shadow_blur_strength_tablet=”1px” body_ol_text_shadow_horizontal_length_tablet=”0px” body_ol_text_shadow_vertical_length_tablet=”0px” body_ol_text_shadow_blur_strength_tablet=”1px”
body_quote_text_shadow_horizontal_length_tablet=”0px” body_quote_text_shadow_vertical_length_tablet=”0px” body_quote_text_shadow_blur_strength_tablet=”1px” box_shadow_horizontal_tablet=”0px” box_shadow_vertical_tablet=”0px” box_shadow_blur_tablet=”40px” box_shadow_spread_tablet=”0px” text_shadow_horizontal_length_tablet=”0px” text_shadow_vertical_length_tablet=”0px” text_shadow_blur_strength_tablet=”1px”][et_pb_accordion_item title=”What is the Cybersecurity Compliance and Risk Assessment (CCRA) and why do we need to complete this survey?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]The Cybersecurity Compliance and Risk Assessment (CCRA) was developed by the Defense Industrial Base Sector Coordinating Council (DIB SCC) Supply Chain Task Force to drive a common set of cybersecurity requirements that both document compliance and measure risk. It\u2019s intended to reduce the burden on our suppliers, currently being assessed against multiple standards and in varied formats (often with overly complex and outdated cyber requirements).[\/et_pb_accordion_item][et_pb_accordion_item title=”Where can I find the latest version of the CCRA?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]The latest version of the CCRA can be found on the ND-ISAC CyberAssist website located here.<\/a>[\/et_pb_accordion_item][et_pb_accordion_item title=”Where should users be directed if they need technical support\/general questions?” open=”on” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ sticky_enabled=”0″]Please contact the requesting organizations for support\/general questions.
Feedback on the CCRA\u2019s content can be submitted using the CCRA Feedback Form<\/a>.[\/et_pb_accordion_item][et_pb_accordion_item title=”Can the Cybersecurity Compliance and Risk Assessment (CCRA) be used across different prime contractors?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]Starting December 14, 2023, the CCRA will begin to be adopted by members of the Defense Industrial Base Sector Coordinating Council (DIB SCC) which include Lockheed Martin, Accenture Federal Services, BAE Systems, Booz Allen Hamilton, Boeing, Centurum, Frontgrade Technologies, HII, L3Harris, Leidos, Northrop Grumman, RTX, Rolls Royce, and Win-Tech<\/span>. We encourage members of the DIB supply chain to utilize the CCRA to assess the cybersecurity compliance and risk of their suppliers.<\/p>\n

Note: Each organization will begin piloting use of the CCRA following this general announcement.<\/a> Please contact the requesting organization for additional information.[\/et_pb_accordion_item][et_pb_accordion_item title=”How will the CCRA be used and how is the information I put into the form secured?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]The use of the CCRA will vary from organization to organization. The CCRA is being made available through the DIB SCC CyberAssist site in an macro-enabled format for ease of access and use, with the ability to share assessment results via an exportable CSV format. Suppliers using the Excel version will maintain exclusive control over whom they share it with.<\/p>\n

It will also be implemented in web-based formats, like Exostar Onboarding Module (OBM) or OneTrust, where suppliers can select the organizations they want to share it with. Please contact the requesting organization for more information on how the response to the CCRA will be used.[\/et_pb_accordion_item][et_pb_accordion_item title=”I do not receive CUI\/CDI. Why do I need to complete the CCRA to show that I\u2019m compliant with NIST 800-171 controls?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]The CCRA is used to assess both Cyber Compliance and Risk. The CCRA is built on a set of Scoping Questions that will dynamically add\/remove questions from the survey based on the response provided. The Scoping Questions will identify the type of information (i.e., Federal Contract Information (FCI), Controlled Unclassified Information (CUI), Covered Defense Information (CDI), or other customer-defined Sensitive Information), the supplier possesses, processes, transmits, and\/or stores; and highlight other key risk factors such as when Information & Communication Technology (ICT) is being provided by the supplier. It will align them to a set of questions that will help us understand a supplier\u2019s compliance and risk posture.[\/et_pb_accordion_item][et_pb_accordion_item title=”Why were only a subset of security controls used in the CCRA? What was the reasoning behind the control selection?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]The objective of the working group was to develop a single questionnaire that enabled a company to collect compliance information and establish a baseline risk assessment. The current 31 controls were selected with the priority of asking as few questions as possible to gain a high-level understanding of where significant gaps may be present in a supplier\u2019s cyber posture. The 31 currently included on the common questionnaire are focused on identifying where there may be significant gaps.[\/et_pb_accordion_item][et_pb_accordion_item title=”Since the form is in an excel macro-enabled format (.xlsm), how can I be assured that it is safe to open?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]Ensure that you download the CCRA from the ND-ISAC CyberAssist website located here<\/a>.<\/p>\n

You can calculate the checksum (hash) of the downloaded file using several options:
1. Navigate to the extracted file. Right-click on the file and select the \u201cCRC SHA\u201d option. Then select \u201cSHA-256\u201d. Then use the prompt with the checksum information to verify you have the same value as what\u2019s provided on the CyberAssist site.<\/p>\n

2. If the above doesn\u2019t work, open a Windows Powershell prompt and use the command \u201cGet-FileHash <filename>\u201d, where <filename> is the sample. For more details, see: Get File Hash with PowerShell<\/a>[\/et_pb_accordion_item][et_pb_accordion_item title=”How does the survey help represent my compliance with the Cyber DFARS requirements?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]The survey has a set of scoping questions that identify the type of sensitive information you possess. If Controlled Unclassified Information (CUI) and DFARS 252.204-7012 are applicable, you will be asked for the status of your implementation of the NIST SP 800-171 security requirements. To be compliant with DFARS 7012, you must attest that all 110 NIST cybersecurity controls are implemented OR for controls not implemented, the supplier must have a documented Plan of Action and Milestone (POAM) in your System Security Plan (SSP).<\/p>\n

If DFARS 252.204-7020 is applicable, you will be asked for the status of your Supplier Performance Risk System (SPRS) submission. To be compliant with DFARS 7020, the supplier\u2019s NIST Assessment results (performed within the prior 3-year period) must be posted to the DoD SPRS.<\/p>\n

The CCRA will ask for the status of your compliance with these requirements with a few high-level questions. It should be noted, however, that completing the CCRA does not waive, or substitute for any DoD-required assessments, or imply approval to host or process controlled unclassified information (CUI).[\/et_pb_accordion_item][et_pb_accordion_item title=”How does the CCRA calculate and assess the risk rating?” _builder_version=”4.9.2″ _module_preset=”default” hover_enabled=”0″ open=”off” sticky_enabled=”0″]Cyber Risk is measured based on the responses to the Security Controls. In total, there are (31) Security Controls; (11) Category 1, (10) Category 2, (10) Category 3. Based on the response to the Cyber Security controls, a user will be given a Cyber Risk Rating of Negligible, Moderate, Significant.<\/p>\n

The following rules are applied for calculating Cyber Risk:<\/p>\n