On September 29, 2020, the Department of Defense (“DoD”) issued an Interim Rule to supplement its Cybersecurity Maturity Model Certification (“CMMC”) program with a DoD Assessment Methodology. The new rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to achieve a two-step review process of contractors, mandating that contractors be certified through the NIST SP 800-171 DoD Assessment Methodology before being put through the full CMMC framework. The Interim Rule goes into effect on November 30, 2020, and DoD is accepting comments until that date in anticipation of issuing a final rule in the future.1 The CMMC framework is slated to go into full effect on October 1, 2025.
DoD issued the Interim Rule to “address threats to the U.S. economy and national security from ongoing malicious cyber activities, which includes the theft of hundreds of billions of dollars of U.S. intellectual property.” The Interim Rule implements two methodologies for verifying contractor compliance with cybersecurity requirements — first under NIST SP 800-171 and second under CMMC.
Assessment Framework Under NIST SP 800-171
Until now, neither the Federal Acquisition Regulation (“FAR”) nor the DFARS provided a mechanism for verifying a contractor’s implementation of basic safeguarding requirements or the security requirements specified in NIST SP 800-171 prior to contract award. Currently, the clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires defense contractors and subcontractors to provide “adequate security” on contractor information systems that store, process, or transmit Controlled Unclassified Information. Before the Interim Rule, DoD might request and review a contractor’s or subcontractor’s System Security Plan explaining its compliance with all 110 security controls under NIST SP 800-171, and any Plan of Action and Milestones (“POA&M”) describing its plan for achieving compliance with any controls not currently met.
The DoD Assessment Methodology addresses flaws in this process by separating assessments into three levels — Basic, Medium, and High — which reflect the depth of the assessment performed and DoD’s level of confidence in the score. Basic assessments will be completed by the contractor, which will use the DoD Assessment Methodology. DoD may choose to complete an assessment of contractors for Medium and High assessment levels “based on the criticality of the program or the sensitivity of information handled by the contractor.” DoD estimates that it will complete 200 Medium assessments and 110 High assessments each year. Contractors that disagree with DoD’s assessment will have 14 days to rebut the findings.
The assessment results will be placed in the Supplier Performance Risk System (“SPRS”) to allow DoD Components access to the results of the assessments. Beginning November 30, 2020, DoD will require a contractor to have a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) security assessment on record before awarding any contract. Also, DoD will require two new clauses in every solicitation or contract, including commercial items, other than contracts for the acquisition of commercially available off-the-shelf (“COTS”) items. First, DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, requires implementation of NIST SP800-171 and a current assessment for a contractor to be considered for award and provides information about performing and reporting a Basic DoD Assessment. Second, DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, requires a contractor to provide DoD with access to its facilities, systems, and personnel when it is necessary for a Medium or High assessment. This clause must be flowed down to all subcontractors, excluding those for COTS items.
Separately, the Interim Rule adds a new DFARS subpart, Subpart 204.75, Cybersecurity Maturity Model Certification, that specifies the policy and procedures for awarding a contract, or exercising an option on a contract, that includes the requirement for a CMMC certification. The Interim Rule also adds a new clause, DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirement, which requires the contractor to have the CMMC certification at the level required in the solicitation and maintain the required CMMC level for the duration of the contract. The CMMC certification requirements must be flowed down to subcontractors at all tiers according to the level of sensitivity of the information flowed down to them. Beginning October 1, 2025, all contracts over the micropurchase threshold, except those solely for COTS items, will be required to achieve CMMC certification. The Interim Rule initiates a phased rollout of CMMC, and starting November 30, the inclusion of CMMC in a solicitation will have to be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
All CMMC assessments will be conducted by accredited CMMC Third Party Assessment Organizations (“C3PAOs”), after which the contractor will be awarded the appropriate certification level by the CMMC Accreditation Body (“CMMC-AB”). The certification will be posted in the SPRS database, and, like the DoD Assessment, will be valid for three years. If a contractor wishes to dispute the assessment, the contractor must submit a dispute adjudication request to the CMMC-AB “along with supporting information related to claimed errors, malfeasance, or ethical lapses by the C3PAO.” Once CMMC is in effect, contracting officers will be unable to award contracts to contractors that do not have the requisite level of CMMC certification for that solicitation or contract.
The CMMC Model describes the various CMMC levels that build upon one another. Level 1 is the equivalent of FAR 52.204-21, which has 17 practices for contractors to follow. Level 2 is intended to work as an intermediary step to Level 3, which includes all 110 NIST SP 800-171 requirements, as well as an additional 20 CMMC practices and three CMMC processes. Levels 4 and 5 represent significant increases in robustness and complexity. Contractors can expect that, at the outset of implementation, the majority of required certifications will be at Level 1, although it remains to be seen how DoD Components will set the required level for a particular acquisition. Moreover, while strong cybersecurity practices are a priority across the federal government, contractors working with both defense and civilian agencies may see unintended consequences that do not necessarily benefit them on the civilian side, such as increased indirect costs.
What This Means for You
Government contractors and subcontractors should take the following steps now to ensure compliance with the Interim Rule by the time it goes into effect on November 30, 2020:
- All contractors and subcontractors, other than those dealing solely with COTS or those that do not store, process, generate, transmit or access covered defense information on their systems, should immediately prepare to conduct and submit a self-assessment as described in the Interim Rule to avoid delays in the awarding of future contracts.
- Contractors and subcontractors that do not believe they are required to implement NIST SP 800-171 controls should be prepared to demonstrate that none of the information they store, process, generate, transmit or access qualifies as covered defense information. These companies should carefully review new solicitations and proposed contract modifications to identify contract actions that attempt to incorporate the new DFARS clauses.
- Contractors and subcontractors should understand that POA&Ms will be impermissible under CMMC and may lower their assessment scores under the DoD Assessment Methodology. Moreover, the Interim Rule does not provide guidance to Contracting Officers on how to handle low assessment scores or gaps identified in assessments. As a result, compliance gaps should be addressed and resolved before the Interim Rule goes into effect on November 30th, to the extent practicable.
- Contractors and subcontractors should prepare themselves for the CMMC accreditation process to position themselves for timely certification once it is available.
The Interim Rule is a significant step in the federal government’s increasing focus on enhancing cybersecurity to protect the nation’s economic and national security.
1 Interim Rule, Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, 85 Fed. Reg. 61505 (Sept. 29, 2020) (to be codified at 48 C.F.R. pts. 204, 212, 217, 252).