Summary
The DoD’s Interim Rule for its CMMC program plan has now been published. As of November 30, all DoD contractors (prime and subcontractor) will need to report their compliance with the security controls in NIST SP 800-171. The interim rule puts a new assessment and reporting system in place that will verify compliance prior to contract award. Contractors cannot be awarded contracts, nor can they award subcontracts, unless they and their relevant subcontractors have performed self-assessments and reported those results to a DoD website.
Background
At the end of September the Department of Defense (DoD) issued a long-anticipated interim rule implementing its Cybersecurity Maturity Model Certification (CMMC) program. CMMC is a new DoD certification process that measures a company’s implementation of cybersecurity processes and practices. The rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) to set forth requirements for the CMMC program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” The NIST 800-171 Assessment Methodology provides a standardized approach to assess contractor implementation of the cybersecurity requirements in the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171. The interim rule becomes effective November 30, 2020, although full implementation of CMMC in every DoD contract will not be achieved until September 2025. Both of the new clauses in the rule are to be included in all solicitations and contracts after November 30, including those for commercial items, unless solely commercial off-the shelf (COTS) products are involved.
While the CMMC rollout is not news to the DoD contracting community, what may be surprising to contractors is the new requirement in the interim rule covering the interim period until CMMC rollout is complete. Specifically, the rule requires contractors to score their current cybersecurity compliance and report that status to a DoD website for consideration prior to any new contract award, or prior to the DoD’s exercise of any contract option.
The current DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is required in all DoD contracts except those solely for COTS items. Under 252.204-7012, contractors must apply the cybersecurity requirements of NIST SP 800-171 to “covered contractor information systems,” which are generally those that store, process, generate, transmit or access DoD-related controlled unclassified information (CUI). Presently, contractors and any of their subcontractors with access to CUI conduct their own internal assessment (or arrange for one by a third party) and then self-certify as to compliance through acceptance of the clause in contracts and subcontracts. Although this self-attestation is on the honor system, contractor compliance has been lagging.
Interim Rule
This new interim rule is part of DoD’s efforts to enhance the protection of sensitive data within the defense supply chain. For contractors already required to comply with NIST SP 800-171 by DFARS 252.204-7012, DoD is now going to hold those contractors accountable and is instituting an assessment and reporting system to verify compliance before new contracts can be awarded. While the new requirement states this information must be provided prior to contract or option award, DoD encourages affected contractors to begin their self-assessments immediately.
To document implementation of NIST 800-171, the contractor must develop and maintain a System Security Plan (SSP) that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. There are also 110 technical controls that must be implemented to become fully compliant with NIST 800-171. If implementation of the security requirements is not complete, companies must develop and execute plans of action to describe when and how any unimplemented security requirements will be met.
The interim rule defines a specific scoring methodology to be followed for the assessment that takes into account how many of the NIST SP 800-171 controls a contractor has implemented. A contractor that has fully implemented all 110 NIST SP 800-171 security controls will have a score of 110. Law firm Sheppard Mullin’s GovCon blog notes, “It goes without saying that contractors will need to be careful here – an inaccurate report could subject a company to exposure under the False Claims Act.” Assessments will be valid for three years unless there are issues requiring a reassessment sooner.
Results of the NIST SP 800-171 DoD Assessments and CMMC certifications will be reported and maintained in a Defense Information Systems Agency-run database, the Supplier Performance Risk System (SPRS). As part of the process, each contractor must supply the following information with respect to each system being assessed: system security plan name, CAGE code, brief description of plan architecture, date of assessment, total (current) score, and date that a score of 110 will be achieved. The SPRS database will be accessible throughout DoD. Contracting officers will be required to check SPRS and verify information on the contractor’s assessment or CMMC status prior to contract award or prior to exercising an option period or extending a contract period of performance. Assessments in SPRS are good for three years, and must be renewed prior to expiration in order for DoD contractors to maintain eligibility for contract awards. Assessments must be completed for each contractor IT system used in connection with a DoD contract.
Law firm Pillsbury notes this NIST 800-171 assessment clause is likely to raise immediate concerns for some DoD contractors. Although industry has been anticipating the CMMC rollout, the DoD has not previously explained the requirements that contractors will be subject to while the multi-year rollout is ongoing. As a practical matter, many DoD contractors already are subject to these requirements under their existing contracts. However, posting the required assessment may pose a significant administrative burden for contractors that have not recently assessed their level of compliance. Additionally, the clause prohibits contractors from awarding subcontracts, or any other contractual instruments, to subcontractors that do not have a current assessment posted in SPRS.
What to Do Now
It is critical that contractors begin the process of ensuring they are eligible to compete for future awards. Familiarize yourself with the DoD assessment methodology and prepare to either perform a self-assessment or arrange for one by a third party. Based on the language of the interim rule, assessment results must be reported to SPRS in order for your company to receive an award after November 30, 2020. If you are not required to implement NIST SP 800-171 security controls because your company does not store, process, generate, transmit or access covered defense information on its systems, be prepared to document why you do not need to conduct a DoD assessment.
An External Assessment Can Help
DoD’s new cybersecurity requirements are changing how contractors can win contract awards, and those who are not able to demonstrate their compliance may risk losing future opportunities. For smaller companies with limited bandwidth, it may be in your best interest to have a professional compliance organization perform your assessment and provide a gap analysis. An external assessment of your current cybersecurity posture can help you understand which of your security practices are already in good shape and which need more work and attention from an implementation perspective.
Assessments typically start with data discovery to include technical scans, policy reviews, personnel interviews, and other inputs. Each security control is then validated in order to determine the effectiveness of its implementation. The resulting gap analysis will facilitate your organization’s development of a remediation plan, which will provide a roadmap to compliance. For additional information on our information security assessment and advisory services, including CMMC and NIST 800-171 guidance, schedule a free discovery call with Kane Federal Services today.
1. NIST SP 800-171 Assessment Methodology Version 1.2.1 6.24.2020