On September 29, 2020, the Department of Defense (DoD) issued an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to create new assessment and certification requirements for DoD contractors. In particular, contractors will have to satisfy assessment and certification requirements regarding certain of their information systems in order to be eligible for future government contracts.
The rule introduces: i) the DoD Assessment Methodology (effective starting November 30, 2020), which is intended to assess contractor implementation of contractually required cybersecurity requirements, and ii) DoD's Cybersecurity Maturity Model Certification (CMMC) program (full implementation of which will not happen until 2025), which indicates a contractor's level of cybersecurity as measured by a third party. The interim rule will become effective on November 30, 2020 and is discussed in greater detail below.
The New "DoD Assessment Methodology"
Starting November 30, 2020, in order to be eligible to receive a DoD contract or have an option exercised under an existing contract, affected contractors will need to have performed a self-assessment, as described below, regarding their compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 ("800-171") and reported that assessment in the government's Supplier Performance Risk System (SPRS). This requirement applies to all DoD contracts except those for the procurement of Commercial Off the Shelf (COTS) items.
Many contractors already have contracts which contain DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (the "7012 Clause"). The 7012 clause requires contractors that have "covered contractor information systems"1 to apply the cybersecurity requirements of 800-171 to those systems. Under the 7012 clause, contractors (and their subcontractors that have covered contractor information systems) self-certify they have "implemented" the requirements of 800-171. Until now, a contractor could show implementation of 800-171 by having a system security plan in place to describe how the requirements are implemented, along with "plans of action" to describe how and when any unimplemented security requirements would be met in the future. DoD has expressed concern that under the current 7012 clause, contractors can leave security controls unaddressed indefinitely; by creating new requirements for the 7012 clause, contractors and subcontractors will be required to agree to create enforceable timelines to fill compliance gaps.
More specifically, the rules create the DoD Assessment Methodology, which augments 7012 with a standard approach to assess a contractor's actual implementation of 800-171, as set forth in new DFARS clauses 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements and 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. This DoD Assessment Methodology measures the extent of a contractor's implementation of the 800-171 controls, along with three levels of assessments (Basic, Medium, and High) that correspond to DoD's level of confidence in the assessment.
This means that starting November 30, 2020, contractors that are required to implement 800-171 (i.e., those with one or more "covered contractor information systems") will need to conduct self-assessments of their implementation of 800-171 on each of their affected systems (providing a "Basic" assessment) and enter the results into SPRS. The assessment includes a score on a scale of 110, corresponding to the number of security requirements from 800-171 that the contractor has implemented. However, while the interim rule requires that the Basic assessment be performed and entered into SPRS (along with a date by which it expects to be able to achieve a score of 110), it does not create a minimum score requirement. It is not at all clear if there is a negative consequence (e.g., disadvantage in a source selection) of having a Basic assessment with a score of less than 110, since the requirement is only that the results of the assessment be reported.
Medium and high assessments will be conducted by the government (e.g., the Defense Contract Management Agency, etc.). Through DFARS 252.204-7020, contractors are required to provide access to their facilities, systems, and personnel for DoD to conduct an assessment. The level of assessment DoD may perform depends on the criticality of the program or sensitivity of information handled by the contractor. Once the government determines a score, the contractor will have an opportunity to rebut DoD's assessment and will have 14 business days to provide additional information before DoD arrives at its final assessment.
Because DFARS clause 252.204-7020 states the prime "shall not award a subcontract or other contractual instrument" if there is no subcontractor Basic assessment, contractors should also ensure their impacted subcontractors have (at least) a Basic assessment reported in SPRS.
Cybersecurity Maturity Model Certificate (CMMC)
In addition to the Assessment Methodology, the interim rule also addresses the Cybersecurity Maturity Model Certificate (CMMC) Framework, which measures a company's cybersecurity processes and practices beyond the requirements of SP 800-171. The CMMC is intended to provide comfort that DoD contractors' systems have processes and practices that are sufficient to protect certain unclassified information, such as CUI. By October 1, 2025, CMMC requirements should be present in virtually all DoD contracts, but for now, inclusion of CMMC requirements will only apply to a solicitation when the contracting government authority obtains approval from the Office of the Undersecretary of Defense for Acquisition and Sustainment. Once CMMC is in effect, a new contract cannot be awarded, nor can a contract option be exercised, if the contractor does not have a current certification at the required CMMC level.
Where the new DFARS clause (DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement) applies, contractors must maintain a certain CMMC level (i.e., between 1 and 5) for the duration of the contract and ensure their non-COTS subcontractors have the same CMMC level prior to awarding a subcontract. Of significance, CMMC requires obtaining certification from a third-party to a specified level that will be set on a contract-by-contract basis (e.g., contract solicitations can include a minimum CMMC level required to be eligible for the contract). The certifications will be based on assessments performed by CMMC Third Party Assessment Organizations (C3PAOs). Based on a C3PAO assessment, contractors will be awarded a certification at the appropriate level by the CMMC Accreditation Body, and the certification will be in the SPRS database.
- The interim rule indicates that it takes 30 days to post the scores from an 800-171 assessment to SPRS. Therefore, contractors subject to the requirements should enter their assessment well in advance of any new contract awards or upcoming contract options.
- If a contractor believes it is not required to implement 800-171 because it does not store, process, generate, transmit, or access covered defense information on its systems (notwithstanding the presence of the 7012 clause in a contract), it should document its determination of why it does not need to conduct a DoD Assessment.
- Once in effect, CMMC will apply to almost all contracts. Even contractors that do not process, store, or transmit CUI must obtain a CMMC Level 1 certification.
- CMMC costs money. The interim rule includes some estimated cost for supporting CMMC assessments, ranging from around $3,000 for the lowest level through over $1 million for the highest certification (plus additional recurring costs to maintain/recertify the assessments).
- Both the DoD Assessment Methodology and CMMC are requirements that only apply to contracts with DoD entities; however, it is likely other agencies are considering adopting their own versions of these cybersecurity assessment and review requirements.
The interim rule will present challenges to government contractors, both large and small. Contractors should review the rule carefully and would be well-advised to start planning for how they will comply, as the interim rule is set to become effective on November 30, 2020.
 These are, generally speaking, information systems that store, process, generate, transmit, or access “covered defense information,” which is unclassified controlled technical information or Controlled Unclassified Information (CUI) that has been: 1) marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or 2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.