On September 29, 2020, the U.S. Department of Defense (DoD) released an interim rule titled Assessing Contractor Implementation of Cybersecurity Requirements (Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041). The rule amends the DFARS, and at the same time, implements the DoD Cybersecurity Maturity Model Certification (CMMC) program. Although the implementation of the CMMC has been long overdue, it provides a new cybersecurity assessment requirement, effective November 30, 2020. The CMMC framework will assess whether contractors within the DoD supply chain have implemented cybersecurity requirements to enhance unclassified information security. Contractors will use the CMMC framework to assess their cybersecurity compliance before they are awarded a new DoD contract, extend any DoD contract performance, or exercise any contract option with the DoD. A critical part of the rule concentrates on establishing whether contractors have complied with all the controls described in the NIST SP 800-171 standard.
The continued rise of theft of intellectual properties and confidential information in various industrial sectors informed the issuance of the interim rule. The heightened adversarial incidents threaten the U.S. national and economic security. In a report by the Council of Economic Advisers, the estimated costs of nefarious cyber actions in 2016 ranged between $57 billion and $109 billion. Issuing the interim rule is one of multiple efforts the DoD has focused on to realize stronger security in the supply chain. It aims to build resiliency in the Defense Industrial Base (DIB) area.
The CMMC Framework
One of the notable additions in the interim rule is the DFARS Subpart 204.75, CMMC. The CMMC framework builds on the current NIST SP 800-171 standard, where the publication provides cybersecurity guidelines for contractors working with the federal government. The CMMC consists of basic requirements for protecting federal contractor data, cybersecurity requirements for securing controlled unclassified information (CUI), and certification requirements for third-parties. Third-party certification requirements are for verifying whether contractors have complied with practices and processes required to achieve any of the five certification or maturity levels. CMMC consists of five maturity levels, level one being ‘basic cyber hygiene,’ and level five being ‘progressive/advanced.’
The CMMC subpart describes the procedures and policies for awarding or extending contracts between November 30, 2020, and October 1, 2025. It requires DoD contractors to attain a CMMC certificate matching the specified level during solicitation before being awarded a contract. It also specifies that contractors ensure the CMMC certificate is current (i.e., not older than three years) throughout the contract period. The CMMC framework also prohibits contracting officers from extending or exercising a contract performance period without a current CMMC certification.
Additionally, the interim rule establishes DFARS 252.204-7021, contractor compliance with CMMC certification level requirements. The new requirement will be part of all contracts and solicitations, delivery orders, or tasks. During the rollout of CMMC requirements, this clause will be incorporated in any DoD contract requiring instant CMMC certification. The solicitations subject to the DFARS 252.204-7021 clause will be under the prerogative of the Under Secretary of Defense for Acquisition and Sustainment (USD A&S). Contracts bound by the CMMC requirement will need to meet the following requirements described in the new clause:
- Ensure the CMMC certification is current and at the required CMMC level
- Maintain the required CMMC level through the contract life
- Flow down the clause requirements to all contractual agreements and subcontracts except for COTS items
- Ascertain a subcontractor has a current CMMC certification at the required CMMC level before sharing any information
Moreover, the interim rule prescribes a new DFARS clause and provision comprising of contractor assessment requirements. It adds two new provisions, 252.204-7019 and 252.204-7020. The former guides offerors on the new assessment requirements while the latter requires all DoD contractors to instantly post their cybersecurity compliance assessments on the DoD’s Supplier Performance Risk System (SPRS). Prime contractors must ensure to flow down the DFARS 252.204-7020 requirements to all subcontractors.
The DoD Assessment Methodology
Contracts subject to the DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, direct contractors to implement the cybersecurity requirements in the NIST SP 800-171. Contractors must apply the requirements to all contractor information systems not operated on behalf of the federal government or not part of the government’s IT service.
The assessment methodology also uses three assessment levels (basic, medium, and high) to establish how well contractors have applied the NIST 800-171 controls. The method reflects the depth of confidence and assessment of the implementation in the resulting scores. The government conducts the medium and high assessments, while the contractor performs a self-assessment of the basic assessment. The DFARS clause 242.204-7020 requires contractors to provide the federal government with access to their personnel, systems, and facilities when the government performs a high or medium assessment. The clause applies where the DoD deems it necessary to renew or perform a higher-level assessment, or depending on the criticality of the information under a contractor’s control.
The CMMC requirements are expected to be fully implemented by 2025, but essential impacts and changes in DoD contracts will be effective starting November 30, 2020. They include:
- Poor performance assessments and reviews of contractors’ compliance with NIST 800-171 will hinder their ability to win DoD contracts. If a contractor fails to win an award, it may create challenges and barriers in the contracting community, narrowing the DIB.
- Under the CMMC framework, third-parties will be responsible for reviewing the maturity levels of a contractor. While it is unclear about the process a contractor will follow to dispute an unfair third-party assessment, a negative finding may impact the ability of contractors to bid on new contracts.
- The interim rule directs all prime contractors to verify the assessments and CMMC certifications of all subcontractors.
- The interim rule estimates the costs required to accomplish a CMMC level 1 recertification or assessment for a small business is $2,999.56. Other costs for higher CMMC levels can be found here. It is essential to note that the higher the level, the higher the cost.