The Department of Defense’s (DoD’s) plans for a new wide-reaching cybersecurity requirement (the Cybersecurity Maturity Model Certification or CMMC) has been the subject of discussion among federal contractors for quite some time now. On September 29, 2020, the DoD finally put out an Interim Rule announcing how it plans to implement that requirement.
As has been typical for the roll-out of the new standard, that Interim Rule did not come without its surprises. The Interim Rule premiered a “two-pronged approach” by which the DoD will “assess and verify the [defense industry’s] ability to protect [Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)] on its information systems or networks.”
The first part of that approach is the implementation of the DoD’s long-awaited CMMC standard, while the second part encompasses a new effort to assess whether contractors comply with the requirements of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. The changes are effective on November 30, 2020, although many contractors are likely to feel the impact of those NIST assessments even before they see the CMMC requirements in their contracts.
The descriptions for both of these “new” cybersecurity requirements, however, contain details that defense contractors (and many others) should know:
The NIST SP 800-171 DoD Assessment.
- Verifies Compliance with Existing Requirements. The new process builds on the requirements of the existing DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which directed “contractors to apply the security requirements of NIST SP 800-171 to ‘covered contractor information systems,’ as defined in the clause, that are not part of an IT service or system operated on behalf of the Government.”
The DoD assessments will allow the agency to determine whether the contractors are in compliance with those security requirements. But the assessments do not add any substantive requirements to either NIST SP 800-171 or DFARS clause 252.204-7012 (e.g., contractors must still have a system security plan and a plan of action in place for each unimplemented security requirement.)
- Mandates Assessments for Most Prime Contractor and Subcontractor Awards. Both contractors and subcontractors are required to have at least a current Basic NIST SP 800-171 DoD Assessment at the time of award. This requirement will be a part of all DoD solicitations and contracts after November 30, 2020, with the exception of those that are solely for the acquisition of commercially available-off-the-shelf (“COTS”) items or possibly those below the micro-purchase threshold. Prime contractors will have to ensure that their subcontractors are in compliance with this requirement.
Supplementary guidance from the DoD noted that the assessments are focused “on the extent to which the company has implemented the requirements. [They are] not a value judgement about the specific approach to implementing – in other words, all solutions that meet the requirements are acceptable. [These are] not an assessment of one solution compared to another.”
- Three Types of Assessments. The Rule provides for three types of Assessments: Basic, Medium, and High. While the Basic Assessment requires contractors to assess themselves against the requirements, the DoD will perform any Medium and High Assessments (through the Defense Contract Management Agency (DCMA) or another organization).
“The requirement for the Basic Assessment [will be] imposed through incorporation of the new solicitation provision and contract clause in new contracts and orders. As such, the requirement to have completed a Basic Assessment is expected to phase-in over a three-year period[.] It is expected that the Medium and High Assessments, on the other hand, will be conducted on a finite number of awardees each year based on the capacity of the Government to conduct these assessments.” The DoD estimates that it will perform such Medium Assessments on 200 entities and High Assessments on approximately 110 entities in each year.
- Assessments Last for Three Years. Each assessment will generally remain current for three years, with the exception of circumstances where a high program risk or a security-relevant change make more frequent assessments necessary.
- Assessments Must Be Reported. The results of the Assessments have to be reported in the Supplier Performance Risk System (“SPRS”), which the DoD uses to assess corporate business practices related to DoD contracts and the supplier’s management of risk. Contractor representatives may enter their results for Basic Assessments in SPRS, and DCMA’s assessors will enter the summary results for their Medium and High assessments there as well.
- The Assessments Will Allow for Disputes of the Final Determination. The DoD indicated that contractors may appeal its findings during the Medium and High Assessments. Specifically, the Supplementary Guidance on the Assessment process indicated that “upon completion of each assessment, the assessed contractor [will have] 14 business days to provide additional information to the assessment team, [in order] to demonstrate that they meet any security requirements not observed by the assessment team or to rebut the findings that may be of question.”
The Cybersecurity Maturity Model Certification (CMMC) Framework.
Much of the detail in the Interim Rule formalized what the DoD has previously emphasized about the CMMC requirements. That said, the most significant aspects of the new standard discussed in the Interim Rule and other recent releases from the DoD on the subject are the following:
- DoD Still Plans to Require Most DoD Prime Contractors and Subcontractors to Obtain CMMC Certifications. The Interim Rule indicates that the new requirement will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (that are not exclusively for COTS items or possibly any that are below the micro-purchase threshold), by October 1, 2025.
The DoD will require contractors to have CMMC certifications at the time of award. The DoD will not award contracts or exercise options with contractors that do not possess the certification necessary for the CMMC level required for the specific work, even before October 1, 2025. Similarly, prime contractors must ensure that their subcontractors are compliant with the CMMC level appropriate for the subcontracted scope before issuing any subcontract awards.
- There Are No Self-Certifications for CMMC. All assessments will be conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs), which are accredited by the CMMC-Accreditation Body (AB). Upon completion of those assessments, however, only the CMMC-AB can provide the evaluated contractor with its certification at the applicable CMMC level.
The CMMC-AB will document the certifications in SPRS, which is the same system that the DoD plans to use to maintain the results of its NIST SP 800-171 Assessments. Those certifications will generally last for three years.
- The CMMC Standards Involve Five Levels. The Interim Rule is consistent with DoD’s prior statements that there will be five levels of CMMC certifications, with the vast majority of entities requiring only CMMC Level 1-3 certificates during the initial rollout. The DoD notes that it does not anticipate releasing any new contracts that would require a CMMC Level 2.
The DoD adds that contractors who do not process, store, or transmit CUI will generally only require a CMMC Level 1 certification. At the same time, the DOD will require contractors that process, store, or transmit CUI to achieve a CMMC Level 3 or higher, depending on the sensitivity of the information involved.
- CMMC Requirements Will Be Rolled Out Over Time (By Mid-Spring 2021 for Construction Contractors). The DoD is implementing a phased rollout of this new standard, with no more than 15 prime contracts expected to contain CMMC requirements in FY 2021. In a recent webinar for the Associated General Contractors of America, the DoD’s Chief Information Security Officer for Acquisition and the lead for the CMMC Program, Ms. Katie Arrington, indicated that the DoD plans to release its first solicitation for construction work that includes this requirement in the middle of Spring 2021.
- CMMC Certifications Can Be Segmented. Contractors will be able to obtain a CMMC certification for their entire enterprise network or a “particular segment(s) or enclave(s),” which will depend on where the protected information is processed, stored, or transmitted.
- Contractors Will Be Able to Dispute the Findings of an Assessment. As part of the CMMC process, contractors that disagree with the outcome of a CMMC assessment will be able to submit a dispute adjudication request to the CMMC-AB along with supporting information related to claimed errors, malfeasance, or ethical lapses by the C3PAO. The CMMC-AB will then follow a formal process to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO. If the contractor does not accept the CMMC-AB preliminary finding, the contractor may request an additional assessment by the CMMC-AB staff.
- No Duplication of Assessments. The DoD repeatedly states that it has no plans to duplicate efforts when conducting NIST SP 800-171 DoD Assessments and CMMC assessments, with the exception of certain rare circumstances when a re-assessment may be necessary.
The First Steps for Contractors.
With the release of this Interim Rule, contractors can no longer delay focusing on cybersecurity. Failure to comply with these requirements will result in both contractors’ and subcontractors’ inability to obtain awards with the DoD going forward and may cause even worse outcomes (e.g., False Claims Act violations, suspension, and debarment) in certain circumstances.
DoD contractors that have not done so already should confirm that they are in compliance with DFARS clause 252.204-7012 (and other cybersecurity clauses), including any security requirements of NIST SP 800-171, and create system security plans with a plan of action where necessary. Contractors should use the most recent version of the CMMC Model as a guide to additional changes to their systems that may soon become a requirement. Prime contractors should also take the steps necessary to ensure that their subcontractors are aware of these upcoming requirements, will be in compliance when necessary, and have these cybersecurity requirements incorporated into their subcontracts.