Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is here. Often referred to as CMMC this long-awaited and hotly debated Interim Rule harmonizes legacy (DFARS clause 252.204-7012) and future (CMMC) requirements with the following statement:
“DOD has developed the following assessment methodology and framework to assess contractor implementation of cybersecurity requirements, both of which are being implemented by this rule: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DOD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework.”
Specifically, the rule creates the following new solicitation provision and contract clauses:
- DFARS 252.204-7019, Notice of NIST SP 800-171 DOD Assessment Requirements;
- DFARS clause 252.204-7020, NIST SP 800-171 DOD Assessment Requirements; and
- DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.
Assessment Methodology to ensure NIST 800-171 Compliance
DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, included in all solicitations and contracts, requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems” or those that “are not part of an IT service or system operated on behalf of the Government”, i.e your contractor networks, labs, cloud environments, etc. This clause has long existed but rarely been enforced by DOD or adhered to by contractors. Rare contractors who have been audited for compliance have been evaluated against the NIST SP 800-171 DOD Assessment Methodology for assessment of a contractor’s implementation of NIST SP 800-171 security requirements. Read the NIST SP 800-171 DOD Assessment Methodology.
If you are not familiar with the assessment methodology it is probably because you have not been audited or have done a quick internal assessment that did not adhere to the scoring defined within the methodology. Time to get familiar with it. Again, directly from the interim rule:
“The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”
The results of Assessments are documented in the Supplier Performance Risk System (SPRS) giving DOD visibility into completed assessment scores and an ability to verify that a contractor has a current (i.e., not more than three years old) assessment on record prior to contract award. This is something that contractors should pay careful attention to. Because of the widely unenforced existing compliance requirements, most contractors have already self-attested to compliance without ever having submitted an assessment or having been audited. This silent majority is now in the position of being required to, at a minimum, submit a self-assessment that will go into SPRS. How will contractors address the fact they have already attested to compliance and now have an assessment that shows, in our experience, on average 70% non-compliance? Squaring this conflict will require some thoughtful planning and time with your general counsel.
New Interim Rule Outlines the Purpose of CMMC
Nearly everyone expected the new rule to force CMMC implementation (it does with a new DFARS subpart (Subpart 204.75, Cybersecurity Maturity Model Certification CMMC) and mandating DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, for use in all solicitations and contracts or task orders or delivery orders) it also thoughtfully describes a long transition from NIST 800-171 to CMMC.
The purpose of this blog is not to describe CMMC in detail but for those interested in an overview please look here. What contractors really need to know right now about CMMC is that DOD is implementing a phased rollout of CMMC, essentially making it an October 1, 2025 requirement. Up until September 30, 2025 inclusion of a CMMC requirement in a DOD solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. On October 1, 2025, and thereafter CMMC will apply to all DOD solicitations and contracts, except those exclusively COTS items. After this date, DOD contracting officers will not award, or exercise an option on a contract without a current (i.e. not older than three years) certification for the required CMMC level. Additionally, and as expected, CMMC certification requirements are required to be flowed down to subcontractors at all tiers.
The new CMMC has always been about assurance, giving DOD a way to ensure all of their suppliers are adequately protecting sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk and accounting for information flow down to its subcontractors in a multi-tier supply chain. Assurance, essentially third party validation, was and is required because DOD has proven that contractors self-attestation of compliance was optimistic to be generous. Few contractors actually implemented NIST 800-171 and the DOD is no longer going to accept that risk for its supply chain. As the new rule describes the purpose of CMMC:
“CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.”
Key Takeaway
DOD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along. DOD acquisition just changed and they are deadly serious about securing the supply chain, this is a call to action.
Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts.
Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance when it arrives.
So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance. Download our 5 Step Guide to CMMC preparation that assures compliance with NIST 800-171.