February of 2020 seems like a long time ago, for many reasons. But that was when the official version of the Cybersecurity Maturity Model Certification (CMMC) standards were released. Recently, the DoD issued an interim rule that will update the DFARS to implement the assessment methodology and CMMC framework for DoD procurements as well as add a new requirement for cybersecurity assessment under the NIST SP 800-171 framework. Here are some of the key points.
NIST SP 800-171 Rule
This rule will implement both the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the CMMC Framework. But DoD asserts that the two “assessments will not duplicate efforts from each assessment.”
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is included in all contracts except for acquisitions solely for commercially available off-the-shelf (COTS) items. Under this clause, DoD will assess a contractor’s implementation of NIST SP 800-171 security requirements to “covered contractor information systems” within a contractor’s computer network. More information on the NIST SP 800-171 DoD Assessment Methodology is available here.
Under the proposed rule, contracting officers must verify that an offeror has a current NIST SP 800-171 DoD Assessment on record, prior to contract award, for applicable solicitations. This will be implemented through two new DFARS clauses: DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. Under DFARS 252.204-7019, if the offeror has no NIST SP 800-171 DoD Assessment score in place, “the Offeror may conduct and submit a Basic Assessment to email@example.com for posting to SPRS.” This email must include a list of required information, such as details about the “system security plan.”
There are a number of differences between NIST SP 800-171 and CMMC assessments. Under NIST SP 800-171, for the Basic assessment–the assessment levels are Basic, Medium, and High–the contractor does a self-assessment. In contrast, CMMC has five levels of assessment going from 1 through 5, and none of them allow a self-assessment. Another difference is that the government performs the two higher levels of NIST SP 800-171 assessment, while independent auditors (not government employees) will carry out all levels of CMMC certification. Results of assessments for both frameworks will be documented in the Supplier Performance Risk System (SPRS)
DoD, in this interim rule, admits that it cannot assess the cyber security levels of the approximately 220,000 DoD contractors every three years. Therefore, the government assessment of contractors will be limited to “conducting targeted assessments for a subset of DoD contractors that support prioritized programs and/or technology development efforts.” The CMMC requirements address assessment for the thousands of contractors for which DoD will never conduct a direct assessment of cyber security.
The CMMC framework is designed to assure the government that a contractor is safeguarding sensitive unclassified information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), all the way down to its subcontractors. Here is a summary of the five CMMC levels:
- Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.
- Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.
- Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.
- Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.
- Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.
This CMMC rule will be found at DFARS 252.204-7021. However, CMMC will be on a phased rollout, which means it won’t be applicable to all contracts at the outset. Until September 30, 2025, the CMMC clause will only be included in a solicitation if it is approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. Starting October 1, 2025, “CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold.” At that point, contractors must have a CMMC certification at the required level that is less than three years old.
The new DFARS clause (DFARS 252.204-7021) will require a contractor to do the following:
- Maintain the requisite CMMC level for the duration of the contract;
- Ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments (prime contractors should consider including this certification in teaming agreements or subcontracts so that subcontractors certify as to their CMMC level if required for a contract); and
- Include the requirements of the clause in all subcontracts or other contractual instruments.
A few other things to note about the CMMC requirement. First, timing: the required certification must be in place at time of award, not at time of initial offer.
Second, there is a dispute process. A contractor can dispute its CMMC assessment by a CMMC Third Party Assessment Organizations (C3PAO).
[T]he contractor may submit a dispute adjudication request to the CMMC-AB along with supporting information related to claimed errors, malfeasance, or ethical lapses by the C3PAO. The CMMC-AB will follow a formal process to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO. If the contractor does not accept the CMMC-AB preliminary finding, the contractor may request an additional assessment by the CMMC-AB staff.
DoD’s new rule will require DoD contractors and subcontractors to have assessments in place for both NIST SP 800-171 and CMMC. The NIST SP 800-171 requirement will be in place starting November 30, while the CMMC certification will start being included in some solicitations starting that same date. By October 1, 2025, CMMC requirements will be included in all DoD solicitations. If contractors haven’t already reviewed these requirements, time is running out.