The Department of Defense (DoD) continues to enhance cybersecurity requirements in its supply chain. A new rule requires some contractors to assign a numerical score to their current cybersecurity practices. Additionally, the rule begins rolling out requirements for all defense contractors to have their cybersecurity certified by a third party.
For years, the gold standard for defense contractors has been NIST SP 800-171 (the NIST Standard). The NIST Standard establishes cybersecurity practices for companies that handle DoD “controlled unclassified information” (CUI). Historically, the NIST standard was largely aspirational, and contractors have been allowed to self-certify that they either comply or have a plan to comply in the future. That looseness led to varying degrees of — and endlessly delayed plans for — compliance.
To address those shortcomings, the Cybersecurity Maturity Model Certification (CMMC) Framework will end the self-certification option. Instead, contractors will need certification from a CMMC Third-Party Assessment Organization (C3PAO). C3PAOs must themselves by accredited by an Accreditation Body. The CMMC Framework is being rolled out over the next five years, starting November 30, 2020. But no C3PAOs have yet been accredited, so it will be a while before contractors can be CMMC certified.
In the meantime, as a bridge to CMMC, the rule establishes a more robust assessment framework for the NIST Standard. Rather than self-certify compliance, contractors must specifically score their practices according to a detailed list of controls, on a scale from -203 to +110. This “Basic Assessment” score will be posted to the Supplier Performance Risk System (SPRS), where it can affect procurement decisions. That gives contractors additional incentive to comply with the NIST Standard sooner, rather than later. Because of substantial overlap between the NIST Standard and the CMMC controls, the scoring could smooth the eventual transition to the CMMC Framework. As Bradley has reported, this Basic Assessment is due from covered defense contractors by November 30, 2020.
NIST SP 800-171 DoD Assessment Methodology
DoD contractors are already familiar with the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause 252.204-7012. It is included in nearly all DFARS-covered contracts and requires that contractors’ cybersecurity meet the NIST Standard. Historically, the DoD had no way to verify a contractor’s implementation of the standard. The new interim rule creates a more specific, standardized self-assessment methodology.
Under this new NIST SP 800-171 DoD Assessment methodology, contractors still self-assess their compliance. What’s new is the standardized, uniform methodology to be used for assessment, in which a contractor scores itself on a scale from -203 to +110, based on the controls with which it complies. In addition to the basic assessment — which is a self-assessment — after award, the government may in some cases conduct its own medium or high assessment of a contractor’s cybersecurity. Assessments generally expire after three years.
The basic assessment applies across the board to all defense contractors who handle DoD CUI.
The industry has been preparing for CMMC since last year, so its entry into the DFARS comes as no surprise. As discussed above, no C3PAOs have yet been accredited. Nonetheless, efforts to comply with the CMMC standards will not be wasted.
CMMC has five levels of compliance, and the required compliance level will be defined in each contract based on the associated risks. Every contractor will need to meet CMMC Level 1. And any contractor handling CUI will probably need to meet at least CMMC Level 3. The Level 3 requirements remain very similar to the NIST Standard. For many contractors, then, their CMMC efforts will help improve their Basic Assessment score.
Risks of Noncompliance
Though the Basic Assessment is a self-assessment, defense contractors should score themselves honestly. In the Eastern District of California, claims are proceeding against Aerojet RocketDyne under the False Claims Act (FCA) for its allegedly false representations of cyber compliance. In allowing the suit to move forward, the court recognized the possibility that “the government never expected full compliance.” However, the specific “extent to which a company was technically compl[ia]nt still mattered.” Earlier the Ninth Circuit had allowed similar FCA claims to proceed against Raytheon in another closely watched case. Those claims have now been finally dismissed. But both the Raytheon and Aerojet RocketDyne cases gesture toward the importance of honest and accurate assessments of cyber compliance.
The DoD recognizes the global importance of strong cybersecurity. This new rule shows that the government is tightening not only the security requirements. Indeed, the assessment framework and reporting requirements are equally important to ensuring robust controls and compliance. But many defense contractors — especially small businesses — may chafe under some of the new requirements. Assessing, conforming, and certifying its systems and procedures could cost even a relatively small contractor many tens of thousands of dollars. Bradley will continue to report on new developments.