Understanding the Impact of DFARS 252.204-7012, NIST SP 800-171, and CMMC on Defense Contractors
I’m a DoD contractor; what do I need to do for CMMC?
To start or continue working with the DoD, all contractors must achieve and maintain the appropriate level of cybersecurity compliance. But what do you need to do, and when does it need to be done? Simple questions deserve simple answers. The truth is that what you need to do is straightforward and can be done in a way that enables you to pay as you go, doing what is required now while laying the foundation for the future.
At a minimum, defense contractors must understand what DFARS 252.204-7012, NIST SP 800-171, and CMMC are and how non-compliance will impact their business. By now, you have probably heard of the Cybersecurity Maturity Model Certification or CMMC; in fact, you are probably tired of hearing about it.
While everything has seemingly changed with CMMC becoming law in November 2020, in reality nothing has changed other than DoD now enforcing the regulations. The enforcement comes in the form of “no compliance, no contract,” so it’s the ultimate incentive for any business reliant on DoD revenue. The good news is that long-term compliance steps are very much the same as they have been since 2015. Everything is grounded in compliance with NIST 800-171 as an initial step. So let us look at what needs to happen and in what order:
- Compliance with DFARS 252.204-7012 mandates NIST 800-171 compliance.
- Contractors are required to assess their compliance against NIST 800-171 using the DoD scoring methodology.
- Contractor assessment scores must be submitted to Supplier Performance Risk System (SPRS) (More detail on that process here, Supplier Performance Risk System (SPRS) )
- If you do nothing else, assess yourself against NIST 800-171 compliance, submit your score via SPRS and then start closing the gaps.
- New DoD contract awards after November 2020 require complete and accurate SPRS submission. In other words, no assessment, no revenue.
- CMMC at its foundation is based on NIST 800-171, so all the work you have done up to this point for NIST 800-171 will speed your CMMC compliance efforts.
If you were required to comply with DFARS 252.204-7012 and implement NIST 800-171, it’s a reasonable assumption that ultimately you will need to achieve CMMC Maturity Level 3. But again, first thing first, let us understand the basis of everything and then build from there.
Understanding DFARS 252.204-7012 and NIST SP 800-171
The Defense Federal Acquisition Regulation Supplement, or DFARS, has been updated to enforce DoD contractor compliance with specific regulatory requirements to protect America’s defense industrial base. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, dates back to 2015 and was intended to protect Controlled Unclassified Information (CUI) on defense contractor networks.
Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.
The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:
- Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
- Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules to protect Covered Defense Information (CDI).
Supply Chain Management
DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.
It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally safe alternative approach is in place before you share CDI with that subcontractor.
Reporting Cybersecurity Incidents
A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks or those of your subcontractors.
In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering 90 days prior to the report’s date, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.
If a subcontractor experiences a cybersecurity incident, they must report it to you or the next highest tier of subcontractor and present the evidence as required. As the prime contractor, you are required to report the incident to the DoD and submit the evidence, as detailed above.
The above set of requirements summarizes DFARS 252.204-7012 and NIST SP 800-171, and if you have met these requirements, you are well over half of the way to CMMC ML 3 compliance.
Why CMMC Maturity Level (ML) 3 Compliance?
If your current contracts call for DFARS 252.204-7012 compliance, the government believes that you have Controlled Unclassified Information (CUI), which means you should aim for CMMC ML 3 as your next step.
CMMC ML 3 includes all 110 NIST 800-171 controls as well as 20 additional practices for a total of 130 controls. One of the most significant differences between NIST 800-171 and CMMC is that NIST 800-171 allows you to be in compliance without implementing all 110 practices, provided you have a Plan of Action and the Milestones (POAM) in place. This is a revenue-limiting difference that deserves your full attention. You either comply with all of CMMC, or you are non-compliant with CMMC.
As you look at getting to full compliance with CMMC ML 3, your company’s specific needs will vary in addressing the remaining 20 practices. Contact CyberSheath to see how we can help you achieve and maintain compliance with DFARS 252.204-7012, NIST SP 800-171, and CMMC ML3. Often, an enclave is the fastest path to CMMC ML 3 compliance, but each situation is different. CMMC compliance requires documented, integrated and evidence-based Cybersecurity, IT, and Governance. Register now for a live webinar on April 21, 2021, at 9:00 am PST | 12:00 pm EST, to learn how you can bring order to the chaos of achieving NIST 800-171 and CMMC compliance.