It’s been quite a week.
The DOD released an interim rule to “amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DOD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DOD supply chain.”
The DOD requested, and OMB authorized, emergency processing of the collection of information tied to this rule. The emergency justification impacts all DOD contractors in the long term and short term as they will now be required to prove and submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. Additionally, the rule creates the following new solicitation provision and contract clauses:
- DFARS 252.204-7019, Notice of NIST SP 800-171 DOD Assessment Requirements;
- DFARS clause 252.204-7020, NIST SP 800-171 DOD Assessment Requirements; and
- DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.
The interim rule, effective 60 days from publication, has triggered a number of questions from contractors. Here are the answers we believe we know, the answers that we aren’t certain about, and the answers that are unclear, but we can surmise based on past experience.
DFARS Interim Rule and Emergency Justification FAQ
- What is the nature of the emergency justification?
- Why did the change occur?
- What immediate steps should a covered entity take after this rule change?
- What role do my third-party providers (TPPs) have in my attestation?
- Can the government ask for my managed services contracts to demonstrate compliance with the DFARS verbiage inclusion?
- Is this rule retroactive? E.g., does this cover time periods of previous self-attestation?
- Does everyone who previously self-attested now submit documentation?
- What needs to be submitted when the government asks for proof of attestation?
- What does Basic / Medium / High mean in the release verbiage?
- How does the interim rule affect CMMC roadmap and compliance?
- If the government finds fault with your self-attestation documentation, what are the ramifications?
- Can an outside provider or third-party submit my documentation on my behalf?
- What is the process if you want to dispute your compliance rating under the pre-CMMC assessment process?
- Is there any arbitration or a process of procedural review of negative findings?
- What is the difference between DFARS 252.204-7012 and the new DFARS 252.204-7021?
- How many CMMC driven contracts are expected in FY2021?
- Will my self-disclosures be made public? Is it disclosable in a FOIA request?
DFARS Interim Rule and Emergency Action: What We Believe We Know
What is the nature of the emergency justification?
The government is finally asking the defense industrial base to submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. In the past, the DOD trusted, with almost no verification, contractors to adhere to the rules and there was no compulsory submission required to prove compliance. The nature of the emergency is “The aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DOD missions.”
Why did the change occur?
Explicitly, to make sure two things are happening:
- The supply chain is making strong improvements to security and meeting current contractual commitments
- To motivate contractors who have ignored the current requirements by forcing information collection
But the interim rule also codifies into the CMMC. The onboarding of the CMMC structure will ramp up over the course of the next five years. The DOD can’t afford to wait that long to ensure American IP is protected so they will move to collect evidence of compliance with DFARS clause 252.204-7012 in parallel to CMMC ramp up.
What immediate steps should a covered entity take after this rule change?
First, reconcile how long it’s been since you’ve self-attested in line with the 2017 DFARS rule and more specifically NIST 800-171. A company that has fully implemented all 110 NIST SP 800-171 security requirements, would have a score of 110 to report in Supplier Performance Risk System (SPRS) for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subcontract the total value from 110 to determine their score. Learn more about the NIST SP 800-171 DOD Assessment Methodology.
Your properly scored Basic Assessment and self-attestation should show you have made a habit of improving your environment over the last three years. If you have not shown improvement on your Plan of Actions and Milestones (POA&Ms), you need to take steps to demonstrate what you are doing to make progress. Ideally, you should have at least three self-assessments from the past three years against DFARS 252.204-7012, and more if you’ve made major changes to your environment that would trigger another self-assessment.
Check out our article on the five steps every organization should take to meet the NIST 800-171 requirements.
What role do my Third-Party Providers (TPPs) have in my attestation?
A major role. You have to attest that your TPPs who handle CUI meet the same or higher security standards as you do.
The biggest stumbling block for many contractors is their TPP contract language. Any organization with a DOD contract that’s handling controlled unclassified information (CUI) must have specific contract language for any of their TPPs that handle CUI, requiring them to meet or exceed the same security standards you do. How many MSPs or MSSPs are doing that today…very few.
In fact, the interim DFARs rule has this verbatim clause buried within the latest 89-page update:
2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800- 171 DOD Assessment, as described in this memo, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. (3) If a subcontractor does not have summary level scores of a current NIST SP 800-171 DOD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DOD Assessment Methodology, to [email protected] for posting to SPRS along with the information required by paragraph (d) of this clause.
Can the government ask for my managed services contracts to demonstrate compliance with the DFARS verbiage inclusion?
Not only can they — they almost definitely will.
Is this rule retroactive? E.g., does this cover time periods of the previous self-attestation?
The truth is that this behavior and level of compliance were supposed to be in place all along and this action simply asks you to prove you’ve been doing it. This is where some contractors will find themselves between a rock and a hard place if they have self-attested but never really implemented NIST 800-171.
DFARS Interim Rule and Emergency Action: What’s Unclear
Does everyone who previously self-attested now submit documentation?
No, you don’t have to submit documentation today to the government but moving forward all DOD awards will require the submission of, at a minimum, a Basic Assessment.
It’s unclear why documentation has not been required before now. Maybe the government didn’t want to have access to the information or didn’t have a program to evaluate the information, or maybe the risk level wasn’t the same as it is today. It is also possible that lobbyists and industry trade associations fought off this requirement.
What needs to be submitted when to the government and when?
At a minimum, contractors will need to produce their assessment using the standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented. There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.
Contractor assessments results are documented in the Supplier Performance Risk System (SPRS) to provide DOD Components with visibility into the scores of Assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.
The presumption is that the DOD wants what’s typically asked for in an audit or what prime contractors are asked to provide when they get a subcontractor: A System Security Plan (SSP), any POA&Ms, and attestation for where the program stands against NIST 800-171.
What does Basic / Medium / High mean in the release verbiage?
There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.
How does the interim rule affect CMMC roadmap and compliance?
The rule builds upon the NIST SP 800-171 and DOD Assessment Methodology mandating the CMMC framework which adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.
DOD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at 52.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the required document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
CMMC will apply to all DOD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025.
If the government finds fault with your self-attestation documentation, what are the ramifications?
Contractors who are not accurate in their assessment reporting could be subject to the False Claims Act (FCA) which imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal government, or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. This is not theoretical, read more on the most visible DOD FCA case for cybersecurity.
Can an outside provider or third-party submit my documentation on my behalf?
This is unclear, but probably not. The government doesn’t want you to have the ability to say your service provider submitted it incorrectly or made material errors. An outside provider can prepare the materials you can send along yourself, much like a CPA might prepare your taxes, but you sign them. The exception would likely be the Medium or High Assessments that are completed by the Government in which they would submit the results.
What is the process if you want to dispute your compliance rating under the pre-CMMC assessment process?
We don’t know the answer to this one. There needs to be some sort of arbitration or dispute process to go through judgments against you and revisions to documents, as you might do with taxes, but the process is not obvious right now.
Is there any arbitration or a process of procedural review of negative findings?
Same answer as above — as of right now there is not an obvious process, but there should be one.
DFARS Interim Rule and Emergency Action: What We Know
What is the difference between DFARS 252.204-7012 and the new DFARS 252.204-7021?
7012 is universally applied and 7021 requires a demonstration of maturity based on the risk level of the contract.
7012 involves self-attesting and self-submitting documentation, and 7021 requires third-party assessments, but also self-submitting.
7012 is based on policing and enforcement and 7021 is based on the winning of revenue and contracts.
7012 allows tolerance for not having certain controls in place at the moment so long as you’ve identified those and you have a plan to rectify them, and 7021 is intolerant — you must not only have evident practices in place but also show they’re habitually deployed.
In five years, 7012 will be sunsetting, and 7021 will be sunrising. DFARS 252.204-7021 is the new law of the land.
How many CMMC driven contracts are expected in FY2021?
The rule says:
“Based on information from the Federal Procurement Data System (FPDS), the number of unique prime contractors is 212,657 and the number of known unique subcontractors is 8,309. Therefore, the total number of known unique prime contractors and subcontractors is 220,966, of which approximately 163,391 (74 percent) are estimated to be unique small businesses. According to FPDS, the average number of new contracts for unique contractors is 47,905 for any given year.”
The document also includes a chart showing how many contracts to expect at each CMMC level each year:
Will my self-disclosures be made public? Is it disclosable in a FOIA request?
There is no mention of that in DFARS 252.204-7021, but the feeling is that the information will not be generally available to the public, but it might be subject to a FOIA request.
When you are self-attesting and going on record about what you do and don’t do from a security perspective, that invites hackers to open up the database and see where organizations are vulnerable. This information could also materially affect the way companies and investors view mergers and acquisitions, due diligence, and so forth. So, it is unlikely that the self-disclosures will be truly public.
The Bottom Line
Time’s up to get compliant or forgo DOD revenue, it is that simple. The government is getting more aggressive in cracking down on cybersecurity to protect American assets throughout the defense industrial base and has been very specific as to their expectations.
The DOD means business. The time to take action is now.
The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your assessment gets – and stays – on track.
Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)