Last Updated on October 27, 2020
On September 29, 2020, the Defense Acquisition Regulations System, Department of Defense (DoD) issued an interim rule that provides the two mechanisms to assess a contractor’s implementation of the DOD’s cybersecurity requirements moving forward:
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 DoD Assessment Methodology which outlines the assessment of a contractor’s SP 800-171 implementation, as required by Department of Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204– 7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
- The Cybersecurity Maturity Model Certification (CMMC) framework, which builds on the 800–171 Assessment Methodology by adding “a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.”
The Interim Rule becomes effective on November 30, 2020.
If you are a DOD government contractor, the interim rule essentially means that you must have:
- At least a Basic NIST SP 800-171 DoD Assessment that is not more than three years old at the time of award (if you have a NIST SP 800-171 obligation).
- A current CMMC certificate at the level specified (or higher) in a solicitation at the time of award that is maintained for the life of the contract.
You will see these changes in forthcoming solicitations/contracts expressed through three new DFARS Provisions:
- 204-7019: “Notice of NIST SP 800-171 DoD Assessment Requirements,” which will be in all solicitations and contracts, except for those solely for the acquisition of COTS items. This Provision requires:
- Contractors conduct a NIST SP 800-171 DoD Assessment and post their summary level scores (no greater than 3 years old) in the Supplier Performance Risk System (SPRS).
- 204-7020: NIST SP 800-171, DoD Assessment Requirements, which will be in all solicitations and contracts except for those that are solely for the acquisition of COTS items. This provision requires:
- That certain contractors provide access to their facilities, systems, and personnel so that the government can conduct a Medium or High NIST SP 800-171 DoD Assessment.
- Contractors insert DFARS 252.204-7020 in all subcontracts (except for COTS) not explicitly calling for a specific CMMC level.
- Contractors not award a subcontract unless the subcontractor has completed at least a Basic SP 800-171 DoD Assessment for all covered contractor information systems relevant to its offer within the last 3 years (where their contract does not explicitly call for CMMC).
- Contractors insert DFARS 252.204-7021 in solicitations and contracts (except COTS) where their contract requires them to be CMMC certified.
- 204-7021: Contractor Compliance with the CMMC Level Requirements, which requires:
- That contractors have a CMMC certificate at the CMMC level required by the applicable contract at award and for the duration of the contract.
- That contractors insert DFARS 252.204-7021 in all subcontracts (except COTS).
- That prior to an award to a subcontractor, a contractor ensure that the subcontractor has a current CMMC certificate at the level that is appropriate for the information being flowed down to the subcontractor.
What happens if I was previously subject to DFAS 252.204-7012?
- A contractor that was/is required to implement NIST SP 800–171 per the 7012 clause will be required to complete a Basic Assessment and upload its score in the SPRS. A contractor that has fully implemented all 110 NIST SP 800–171 security requirements will have a score of 110. For unimplemented requirements you would subtract 1, 3 or 5 (depending on the control’s importance).
- After contract award, the DoD may conduct a Medium or High Assessment based on program criticality. In either a Medium or High Assessment, the DoD will review the contractor’s description of how each SP 800–171 security requirement is implemented and will identify any gaps in achieving the security requirements.
- For contractors already required to comply with SP 800-171/DFARS 7012, DoD is instituting an assessment and reporting system to verify compliance before new contracts can be awarded. While the new requirement is for information to be provided prior to contract award, DoD encourages affected contractors to begin their self-assessments immediately.
There are three levels in the Assessment Methodology: The Basic Assessment will be a self-assessment completed by the contractor prior to contract award, while the Medium and High Assessments are available options for the DoD to complete after award.
Basic assessments are conducted using NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information and Section 5 and Annex A of v1.2.1 of the DOD Assessment Methodology. 800-171A is essentially an audit program for 800-171.
DoD estimates it will conduct 200 Medium Assessments and 110 High Assessments each year.