Responding to fundamental concerns about the cybersecurity of its private sector supply chain, the Department of Defense (DoD) will begin requiring at the end of this month all of its contractors to comply with a complex and demanding new cybersecurity framework. Starting on November 30, 2020, contractors working for the DoD will need to comply with the long-anticipated Cybersecurity Maturity Model Certification (CMMC)-this mandatory requirement will be a go/no-go criterion for eligibility for many DoD contracts.
Issued on September 29, 2020 the interim rule, amends the Defense Federal Acquisition Regulation Supplement (DFARS) to establish the DoD Assessment Methodology for contractor cybersecurity certification and implement the CMMC program.
What is the DoD Assessment Methodology?
The DoD Assessment Methodology requirement was developed to address perceived flaws in the self-assessment process. Currently, under DFARS clause 252.204-7012, contractors must self-certify their compliance with the cybersecurity requirements of NIST SP 800-171 to "covered contractor information systems," which are generally those that store, process, generate, transmit or access "covered defense information." Through the interim rule, the DoD Assessment Methodology rates contractor cybersecurity levels as Basic, Medium or High based on the contractor's implementation of the 110 controls identified under the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171.
Like the current system, contractors can certify their own programs at a Basic level. For Medium and High assessments, the DoD will assess contractors. The interim rule also introduced DFARS clause 252.204-2020, which requires contractors to provide the DoD with access to the contractor's facilities, systems and personnel as necessary to conduct or renew a higher-level assessment. In any event, contractor DoD Assessment Methodology review results will be posted on the Defendant Information Systems Agency's database: The Supplier Performance Risk System (SPRS).
Interim DFARS contract clause 252.204-7019 lists information that contractors must provide for reporting Basic DoD Assessment, which includes:
- Standard assessed (e.g., NIST SP 800-171)
- Organization conducting assessment (e.g., contractor self-assessment)
- CAGE codes
- Description of system security plan architecture as relevant
- Date of assessment completion
- Summary level score (e.g., 95 out of 110)
- Date that all requirements are expected to be implemented (e.g., a score of 110 is expected to be achieved by ...)
For Basic DoD Assessments, contractors will need to post their results on SPRS, which will be good for three years. For Medium and High DoD Assessments, the DoD will select contractors for additional review post-award based on the nature of information under the contract.
The interim rule requires contractors to flow down the substance of DFARS 252.204-7020 to all subcontractors (except commercial-off-the-shelf suppliers (COTS)) and ensure subcontractors who must meet the NIST 800-171 requirements have a current DoD Assessment posted in SPRS.
How does the Interim Rule Implement the CMMC?
The interim rule phases in the CMMC rollout to eventually require all contractors doing business with the DoD, with exception to COTS suppliers, to be CMMC certified by September 30, 2025. In the meantime though, the DoD will select a limited number of solicitations in which to include the CMMC requirement under the interim rule DFARS clause 252.204-7021.
The CMMC Model includes five levels of progressive higher capabilities and more demanding requirements. Level 1 requires practices and procedures equivalent to those required under FAR 52.204-21. Level 2 encompasses 48 of the 110 security requirements of NIST SP 800-171 specified under DFARS clause 252.204-7012, and additional seven cybersecurity requirements. Level 3 requires all 110 NIST SP 800-171 requirements, plus an additional 20 CMMC practices and three CMMC processes. Levels 4 and 5 represent a significant increase in complexity, with more practices and processes, which are designed to reduce the risk of Advanced Persistent Threats or attacks by Nation State adversaries using multiple, sophisticated techniques. In general terms, we would describe Level 1 as basic cybersecurity practices that most security practitioners would consider as a baseline; Level 3 is likely to be the baseline for most prime contractors initially; and Levels 4 and 5 will be initially limited to a small subset of the DoD contracting environment.
CMMC assessments will be conducted by designated and specially trained CMMC Third Party Assessment Organizations (C3PAOs). Once the C3PAO has completed an assessment, the contractor is awarded a certification at the appropriate certification level by the CMMC Accreditation Body (AB). If contractors receive a less than favorable certification, the interim rule discusses a "dispute adjudication request" that contractors will be able to submit to the CMMC AB for certification review.
Notably, DFARS clause 252.204-7021 requires a mandatory flow-down to subcontractors. However, the new clause only requires prime contractors to ensure the subcontractor has a current (i.e., not older than three years) CMMC level that is appropriate for the information that is being flowed down to the subcontractor, rather than the same CMMC level as the prime without regard to the subcontractor's role.
How do I become CMMC ready?
In preparation for the CMMC as well as the DoD Assessment Methodology requirement, contractors should consider the following:
- Identify and inventory current and anticipated covered defense information on your covered contractor information systems
- Assess current cybersecurity program to NIST SP 800-171 practices and processes
- Identify desired CMMC level
- Conduct desired CMMC level gap analysis
- Implement CMMC practices and processes to close desired CMMC level gap
- Create or revise incident response plan
- Review subcontract flow-down clauses required under the interim rule
These, along with other pre-certification measures, will increase contractors' chances of transitioning smoothly into this new cybersecurity regime.
Ice Miller has extensive experience with cybersecurity requirements and DoD contract compliance and can assist you with implementing CMMC and DoD Assessment requirements. Our team includes Guillermo Christensen, a partner in our DC office with close to 20 years of national security experience in the CIA and the intelligence community with a focus on nation-state threats and response; Nick Merker, a partner with more than a decade of computer systems and network security experience who chairs Ice Miller's Data Security and Privacy Practice; Christian Robertson, a former US Air Force intelligence officer who regularly advises clients on government contract matters; and Clayton Heil, a partner in Ice Miller Strategies with prior experience in the Congress on homeland security matters.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.