Assessing Contractor Implementation of Cybersecurity Requirements
The Department of Defense (“DoD”) implemented a new Interim Rule on November 30, 2020 – Assessing Contractor Implementation of Cybersecurity Requirements. This rule serves as an amendment to the Defense Regulation Supplement (“DFARS”) clause 252.204-7012 and implements a new Assessment Methodology and Cybersecurity Maturity Model Certification Framework. Essentially, the DoD is revamping their cybersecurity to provide for a more efficient national security friendly framework.
The purpose of this interim rule is to better protect national and economic security. Over the years, theft of intellectual property and sensitive information has risen immensely. It was estimated that this malicious cyber activity costed the United States economy about $57 billion to $108 billion in 2016. This cost is only expected to increase overtime. Thus, the National Defense Authorization Act directed the Secretary of Defense to develop a new framework to protect national security. This framework provides a clear, consistent, and comprehensive solution.
This rule requires government contractors to implement new cybersecurity requirements and enhance the protection of unclassified information within the entire DoD supply chain. The following presents a comprehensive guideline to following the new process.
- Conduct a self-assessment in accordance with NIST SP 800-171 Assessment Methodology.
DFARS clause 252.204-7012 requires all contractors to apply the security requirements of NIST 800-171 to covered contractor information systems. This clause is included in all solicitations and contracts, except for commercially available off-the-shelf items (“COTS”). The point of this system is to record the requirements the contractor has not yet implemented. After analysis, a contractor will receive a score between 0 and 110 – 110 being the amount of security requirements necessary for proper implementation. The goal is to receive a score of 110. If the company has not implemented all 110 security requirements, it must document a plan of action––Plan of Action and Milestones (“PoA&M”)––to implement the missing requirements and date when that will be accomplished.
The scoring method also assigns a level – Basic, Medium, or High – to the contractor reflecting the depth of the assessment performed and the associated level of confidence in the score. These assessments are completed for each relevant aspect to the contractor such as the offer, contract, task order, or delivery order. The assessment is required to be renewed every three years to ensure compliance with updated security requirements.
To submit the basic assessment, the contractor is required to submit information such as a system security plan name (if more than one); a CAGE code associated with the plan; a brief description of the plan’s architecture; the date of the assessment; the total score received; and if not complete, the date a score of 110 will be achieved.
- Register on the Supplier Performance Risk System (“SPRS”).
This interim rule adds a new subpart to DFARS 204.75 for purposes of specifying the policies and procedures for awarding a contract that includes CMMC certification requirements. Contacting officers are required to verify their CMMC certification in SPRS. The CMMC builds off the NIST SP 800-171 assessment methodology. This framework adds a certification to the assessment ensuring that the appropriate processes and practices were followed in accordance with the cybersecurity maturity level. This second-level verification ensures protection of Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) at all levels, including the subcontractors. Whichever certification level is assigned to the DIB company is documented in the Supplier Performance Risk System (“SPRS”). The SPRS offers a Basic Assessments posting guide here.
- Produce and maintain a System Security Plan (“SSP”) and Plan of Action and Milestones for each system.
A SSP is defined as, a “[f]ormal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.” A PoA&M is defined as, “[a] document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.” Together, these two documents help to track a company’s DFARS compliance. The documents will assist a company with the following:
- Reporting compliance with DFARS 252.204-7012 for technical evaluation;
- Using proposal instructions and corresponding evaluation specifics to determine processing, storing, and transmitting CDI/CUI and what risks are in or out of scope for the project;
- Organizing and pinpointing NIST SP 800-171 control requirements that are not implemented at the time of awards; and
- Identifying that the security requirements in NIST SP 800-171 must be implemented.
- Produce and maintain policy, process, and system documentation/evidence of compliance.
The system assessment and CMMC are required to be renewed at least every three years. Thus, it is imperative to remain up to date with all documentation and evidence of compliance. Additionally, for Medium or High NIST SP 800-171 DoD Assessments, the companies must provide the government with access to facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level Assessment. See DFARS clause 252.204-7020.
- Enter the self-assessment score into SPRS prior to award, option exercise, or extension of a contract, task order, or delivery order.
The CMMC certification is required only at the time of award, it is not necessary to complete prior. Thus, the entry of the self-assessed score allows a contracting officer to verify in SPRS that the potential awardee has current NIST SP 800-171 DoD Assessment Methodology, prior to the contract award. Third party assessors will be used to ensure that DIB companies are complying with process institutionalization or maturity and the implementation of practices equal with that level.
The DoD has implemented the CMMC on a “phased rollout” basis. Meaning, until September 20, 2025, the CMMC requirements are used for all solicitations and contracts, except for COTS items, so long as the statement of work requires the contractor to have a specific level of CMMC. After October 1, 2025, CMMC will apply to all DoD solicitations and contracts, except for COTS items, regardless of the level of CMMC required. A contractor will not make an award if the offeror does not have the proper certification for its CMMC level.
- Ensure all subcontractors also perform the above.
Contractors must ensure that subcontractors have results of a current assessment posted in SPRS prior to awarding a subcontract. It is the contractor’s responsibility to ensure that subcontractors comply with the cybersecurity requirements. Under the new DFARS clause – 252.204-7021 – a contractor is required to:
- Maintain the requisite CMMC level for the duration of the contract;
- Ensure the subcontractors main their requisite CMMC level prior to the subcontract award; and
- Include the requirements of clause 252.204-7021 in all subcontracts.
In sum, DFARS Clause 252.204-7012 and NIST 800-171 cybersecurity requirements for prime contractors and subcontractors are no longer voluntary. The DoD requires completion of audits coupled with CMMC, and requires all companies conducting business with the DoD to be certified by a third party. Overall, the DoD is receiving an overwhelming benefit to the implementation of a new assessment methodology and framework. This interim rule will enhance protection of FCI and CUI within companies and protect against theft of intellectual property and sensitive information.
Further, on December 15, 2020, the DoD released the list of CMMC certification pilots for FY 2021. Contractors are encouraged to review this list to determine if they support these programs as a prime or subcontractor.
This article was co-authored by Chelsea A. Padgett, Esq. and Luke R. Barnes.
Chelsea A. Padgett, Esq. is an associate attorney with Ward & Berry, PLLC. Ms. Padgett attended law school from the University of Florida Levin College of Law and is now licensed to practice law in the Commonwealth of Virginia and Florida. She practices in all areas of the firms practice with a primary focus on Government Contracts.
Luke R. Barnes is a Managing Partner at Fidelis Risk Advisory in Austin, Texas. Fidelis Risk Advisory helps businesses navigate the complexities of building and implementing information security programs. With deep focus on CMMC compliance, he enables companies to build security programs which are both defensible and functional.