By Tim Mullican, DevOps Engineer
The Department of Defense (DoD) recently amended DFARS, its set of information systems security controls required for government contractors, with an interim rule that implements two new frameworks: NIST SP 800-171 DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC).
The interim rule is slated to go into effect on Nov. 30, 2020. However, the DoD is currently soliciting comments between now and then that may impact the formation of the final rule prior to its implementation. Nevertheless, our sense is this interim rule reinforces the urgency for defense contractors to get their house in order against current DFARS standards in preparation for CMMC or run the risk of losing future awards.
NIST SP 800-171 DoD Assessment Methodology
Under the current DFARS ruleset, contractors self-certify their compliance status against NIST SP 800-171. The new NIST SP 800-171 DoD Assessment Methodology seeks to change this by implementing a new system, the Supplier Performance Risk System (SPRS), which offers the DoD greater insight into a contractor’s true compliance status. All contractors, except for commercially available off-the-shelf (COTS) providers, will be required to create an account and will be assigned a score based on the percentage of NIST SP 800-171 controls they have implemented. The maximum possible score is 110, a score that would indicate a contractor has implemented all 110 NIST SP 800-171 security controls. The NIST SP 800-171 DoD Assessment Methodology defines three assessment levels, each indicating higher levels of assurance: Basic, Medium and High. A Basic assessment is performed by the contractor, while the Medium and High assessments are performed by the government on site. Notably, the DoD anticipates a vast majority of the assessments completed each year will be at the Basic level, with only about a few hundred Medium and High assessments expected to be performed each year.
In addition, DFARS subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, is amended under the interim rule to require contracting officers to verify that an offeror has a current entry in SPRS prior to contract award, if the contractor is required to meet the implement NIST 800-171.
Further, contracting officers will be required to include two new DFARS clauses in solicitations and contracts, except for the acquisition of COTS items:
The first of the two new DFARS clauses requires an offeror to have a current (within three years) NIST SP 800-171 DoD Assessment on record in SPRS prior to contract award. The clause also provides offerors with additional information on conducting and submitting an Assessment when a current one is not posted in SPRS. The second new DFARS clause requires a contractor provide the government with access to its facilities, systems and personnel when it is necessary for the DoD to conduct or renew a higher-level assessment. Contractors must also ensure that applicable subcontractors have the results of a current assessment posted in SPRS prior to awarding a subcontract. Finally, it provides additional information on how a subcontractor can conduct and submit an assessment when one is not posted in SPRS, as well as requires the contractor to include the requirements of the clause in all applicable subcontracts or other contractual instruments.
Cybersecurity Maturity Model Certification (CMMC)
The CMMC is a five-level certification process that builds on the current NIST SP 800-171 DoD Assessment Methodology. CMMC assessments are conducted by an independent certified third-party organization (C3PAO) approved by the CMMC Accreditation Body (AB) and seek to provide higher levels of assurance than NIST 800-171 alone. There are five levels of CMMC certification:
Please see our blog, Top 7 Concerns About CMMC and What it Means for DoD Contractors for more information about this methodology.
The interim rule creates DFARS subpart 204.75, CMMC, which specifies the policy and procedures for awarding a contract or exercising an option on a contract, and includes the requirement for a CMMC certification. This subpart also directs contracting officers to verify in SPRS the contractor’s CMMC certification is current and meets the required level for the contract prior to award.
Another new DFARS clause 252.204-7021, CMMC Requirements, requires that a contractor and its subcontractors maintain the requisite CMMC level for the duration of the contract. Contractors must include the requirements of this clause in all subcontracts and must ensure all subcontractors maintain the requisite CMMC level for the duration of the subcontract.
Notably, CMMC will be rolled out in a phased approach over the next five years, with the -7021 clause only included if the required document or statement of work requires a specific CMMC level, excluding acquisitions exclusively for COTS items.
Beginning Oct. 1, 2025, all DoD contracts, excluding COTS items, greater than the micro-purchase threshold will be required to include the -7021 clause, thereby requiring contractors to have a current CMMC certification level prior to award.
Gray Analytics can provide businesses with our in-depth knowledge of a variety of government regulations and help identify the steps each company needs to take to maintain compliance with the new requirements. Our turn-key compliance services offer a clear-cut opportunity to reduce your internal staff’s burden, so your team can focus on managing your business.