If you are a DoD Contractor, you need to read this ASAP! The Evolution of Contracting with the DoD
First, there was the DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT (DFARS)…
Then there was the FEDERAL ACQUISITION REGULATION (FAR)…
And then there was the CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)…
Now there’s DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT ASSESSING CONTRACTOR IMPLEMENTATION OF CYBERSECURITY REQUIREMENTS (DFARS CASE 2019–D041
You Can Find the Interim Rule HERE
What just happened? Let me narrate for you and share some important sections of the regulation.
A little background might be in order:
“Under DFARS clause 252.204–7012, DIB companies self-attest that they will implement the requirements in NIST SP 800–171 upon submission of their offer. A contractor can document the implementation of the security requirements in NIST SP 800–171 by having a system security plan in place to describe how the security requirements are implemented, in addition to associated plans of action to describe how and when any unimplemented security requirements will be met.”
“As a result, the current regulation enables contractors and subcontractors to process, store, or transmit CUI without having implemented all of the 110 security requirements and without establishing enforceable timelines for addressing shortfalls and gaps.”
BOOM!!! There goes our most sensitive data.
“Findings from DoD Inspector General report (DODIG–2019–105 ‘‘Audit of Protection of DoD Controlled Unclassified Information on Contractor- Owned Networks and Systems’’) indicate that DoD contractors did not consistently implement mandated system security requirements for safeguarding CUI and recommended that DoD take steps to assess a contractor’s ability to protect this information.”
“The report emphasizes that malicious actors can exploit the vulnerabilities of contractors’ networks and systems and exfiltrate information related to some of the Nation’s most valuable advanced defense technologies.”
“Because of these issues and shortcomings and the associated risks to national security, the Department determined that the status quo was not acceptable and developed a two pronged approach to assess and verify the DIB’s ability to protect the FCI and CUI on its information systems or networks, which is being implemented by this rule”
Yes, that’s right DoD Contractors / Defense Industrial Base (DIB Companies) have been self-attesting to compliance with the DFARS for years. They were able to claim compliance with security controls using their own definitions of compliance and by pointing to a plan to correct issues.
The Government decided enough was enough and they created a new program that required a third-party assessment to be performed to prove compliance. Well, that program is taking a while to get off the ground.
“DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at 252.204–7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the requirement document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.”
“CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025. Contracting officers will not make award, or exercise an option on a contract if the offeror or contractor does not have current (i.e. not older than three years) certification for the required CMMC level.”
The Government is going to slowly adopt the CMMC and the inclusion of the CMMC needs to be approved for use until October 1, 2025. Does that sound backwards to you? I think it leaves our nation vulnerable to attack for years to come and so did the Government, so the Government needed an interim ruling. Now, the DoD has published an 18-page Interim Rule which is effective 30 November 2020 with all comments to be submitted before that date for consideration in the formation of the final rule.
The new Interim Rule DFARS clause 252.204-7012 will require the use of the NIST SP800-171 DoD Assessment Methodology with a standard scoring methodology and 3 assessment levels (basic, medium, high) to reflect the depth of the assessment. Self-assessments are “basic” while “Medium” and “High” are done by the Government. This rule amends DFARS subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, to implement the NIST SP 800–171 DoD Assessment Methodology.
So, what is the big deal to DoD Contractors? Let’s look…
1. DFARS (NIST SP 800-171) is becoming an interim step to getting DoD contractors ready for third-party assessments
“The NIST SP 800–171 DoD Assessment and CMMC assessments will not duplicate efforts from each assessment, or any other DoD assessment, except for rare circumstances when a re-assessment may be necessary, such as, but not limited to, when cybersecurity risks, threats, or awareness have changed, requiring a re-assessment to ensure current compliance.”
“Building upon the NIST SP 800–171 DoD Assessment Methodology, the CMMC framework adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.”
This chart shows the top-level interrelation of the requirements and thus you can see how they are tied together:
Let’s put that aside for a moment as CMMC won’t go into full effect for a few years.
2. The DoD is now setting ground rules for how DoD contractors need to self-assess as a step towards receiving a third-party audit:
“Provides a Standard Methodology for Contractors to Self-assess Their Implementation of NIST SP 800–171. The Basic Assessment provides a consistent means for contractors to review their system security plans prior to and in preparation for either a DoD or CMMC assessment.”
(That’s good!)
3. You can still do the assessment yourself but the government want’s the result details:
“DoD Assessment Methodology To comply with NIST SP 800–171 a company must (1) implement 110 security requirements on their covered contractor information systems; or (2) document in a ‘‘system security plan’’ and ‘‘plans of action’’ those requirements that are not yet implemented and when the requirements will be implemented.”
(That’s good too… Not much changed. )
4. DoD Contractors are going to have to report to the DoD their assessment scores:
“All offerors that are required to implement NIST SP 800–171 on covered contractor information systems pursuant to DFARS clause 252.204–7012, will be required to complete a Basic Assessment and upload the resulting score to the Supplier Risk Management System (SPRS), DoD’s authoritative source for supplier and product performance information.”
“The Basic Assessment is a self-assessment done by the contractor using a specific scoring methodology that tells the Department how many security requirements have not yet been implemented and is valid for three years. A company that has fully implemented all 110 NIST SP 800–171 security requirements, would have a score of 110 to report in SPRS for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subcontract the total value from 110 to determine their score.”
Hold up for a moment: That’s a big change. You need to give the results of your assessment to the Government. They want to know if you have the controls implemented or if you are relying on the ‘‘system security plan’’ and ‘‘plans of action’’.
How do you calculate your score? You start with a score of 110 and then deduct the weighted points associated with not have a requirement fully completed (where you relying on the SSP and POA&Ms). Did I mention that you can lose up to 313 points? That translates to a range of -203 to 110 points.
Here is the format of the report needed for reporting:
Using this assessment approach, you could end up with a negative score. That is going to be a hard story to spin to the Government.
5. The Government is reserving the right to come in and review you themselves.
“The new DFARS clause 252.204–7020 requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment.”
If the DoD does not believe you or they do not like your score, they reserve the right to come in and review you. Do you like the sound of that? That is not good for DoD Contractors that have been relying on an IT SSP and POA&Ms but it is good for forcing everyone to improve their security posture and protect out nations resources now.
6. What if you score a negative number?
We do not really know yet, but they have stated that they reserve the right to show up at your doorstep and review your plans line by line.
“After a contract is awarded, DoD may choose to conduct a Medium or High Assessment of an offer based on the criticality of the program or the sensitivity of information being handled by the contractor. Under both the Medium and High Assessment DoD assessors will be reviewing the contractor’s system security plan description of how each NIST SP 800– 171 requirement is met and will identify any descriptions that may not properly address the security requirements. The contractor provides DoD access to its facilities and personnel, if necessary, and prepares for/participates in the assessment conducted by the DoD.”
7. If the DoD determines you require a High Assessment, then it is even worse for those of you who have been relying on IT SSP and POA&Ms since you will be required to demonstrate the implementation of your plan.
“Under a High Assessment a contractor will be asked to demonstrate their system security plan. DoD will post the results in SPRS.”
Imagine the IRS showing up at your house or your place of business and asking to see EVERYTHING!
8. The DoD Components are no longer going to review one at a time. They are going to coordinate their approach by allowing each department to see your summary level scores.
This will provide DoD Components with visibility to summary level scores, rather than addressing implementation of NIST SP 800–171 on a contract-by-contract approach.
Time is up… We can’t wait for CMMC anymore or only rely on SSPs and POA&Ms.
If you have been waiting to see what comes of CMMC, it may be time to rethink that approach. Your business is in jeopardy if you are not taking action now to shore up any compliance deficiencies.