The Department of Defense (DoD) has finally issued the long-awaited interim rule on the implementation of the Cybersecurity Maturity Model Certification (CMMC) process which will be rolled out over the next five years. However, in an interesting twist, the interim rule also implements a new DoD Assessment methodology for NIST SP 800-171 compliance that will go into effect as early as November 30, 2020.
The Federal Government has shown an increased emphasis on cybersecurity in recent years. The DoD has issued several rules since 2013, all of which seek to protect defense systems, sensitive information, and critical infrastructure. Recently, the focus has been on the implementation of the CMMC framework, which is intended to enhance the protection of unclassified information within the Defense Industrial Base supply chain by providing a certification methodology to assess contractor implementation of cybersecurity requirements.
Currently, most DoD contractors are required to comply with DFARS 252.204-7012, Safeguarding Defense Information and Cyber Incident Reporting. This clause requires contractors to apply certain security requirements contained in NIST SP 800-171 to "covered contractor information systems." The CMMC framework announced in the interim rule that it builds on these existing requirements by adding a certification element to verify that a contractor's processes and practices achieve one or more of the following CMMC levels:
Level 1
Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.
Level 2
Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.
Level 3
Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.
Level 4
Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.
Level 5
Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.
By September 30, 2025 all DoD contracts, with limited exceptions including contracts exclusively for commercial off-the-shelf items, will require CMMC certification at one of these five levels. The DoD contract will be assigned a CMMC level based on the nature and requirements of the contract. For example, contracts that involve Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will likely be subject to a higher CMMC level. Each solicitation will be assigned a CMMC level, and an offeror will not be eligible for award if the offeror does not have a current CMMC certificate at the level required by the solicitation. Similarly, a contracting officer may not exercise an option or extend the period of performance on a contract, task order, or delivery order unless the contractor has a CMMC certificate at the level required. Third party organizations will be responsible for preforming CMMC assessments and issuing certificates.
As expected, the DoD announced a five-year phased rollout strategy for full CMMC implementation. When the rule goes into effect on November 30, only a limited number of businesses will be impacted, as the DoD will decide initially which solicitations will include the CMMC requirement. However, DoD prime contractors are required to flow down the appropriate CMMC certification requirement to their subcontractors, which means many companies may soon be impacted by the new CMMC framework.
What was not expected is a whole new process for assessing how DoD contractors comply with NIST SP 800-71. This seems to be a stopgap measure developed to ensure compliance with NIST SP 800-71 until CMMC is fully implemented. Currently, contractors are allowed to self-certify their compliance with the NIST standards. The interim rule adds DFARS 252.204-7019 and 252.204-7020 and provides for a scoring methodology (Basic, Medium, and High) that reflects the depth of the assessment performed and the level of confidence in the resulting score. A Basis Assessment is a self-assessment completed by the contractor, while the Medium and High Assessments are to be completed by the Government. The Government will select contractors for Medium or High review based on the nature of the program. Starting on November 30, 2020, Contracting Officers are required to verify that an offeror has a current NIST SP 800-171 DoD Assessment on record prior to contract award or the exercise of an option. This will require offerors to ensure that current Assessments at the minimum Basis level are posted in the Supplier Performance Risk System. As with the CMMC framework, DoD prime contractors will have to flow down the Assessment requirement to subcontractors as applicable.
Some aspects of the interim rule may change with the issuance of a final rule and additional guidance will most likely be forthcoming. Until then, DoD contractors should make plans to implement the new Assessment requirement quickly, and should carefully review all DoD solicitations and contract modifications to understand whether or not the new rule impacts them.
The interim rule issued on September 29, 2020 amends the Defense Federal Acquisition Regulation Supplement (DFARS) at Subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting; adds a new Subpart, 204.75 – Cybersecurity Maturity Model Certification; and adds the following DFARS clauses: DFARS 252.204-7019, DFARS 252.204-7020, and DFARS 252.204-7021. The interim rule is available here.
Please reach out to the Government Contracts group if you have any questions about this legal update or need assistance on implementing the interim rule.