DoD Publishes Interim Cybersecurity Rule on CMMC and DoD Assessments
Government Contracts Update
Date: October 06, 2020
On September 29, the U.S. Department of Defense (DoD) issued an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) and impose new data security requirements on contractors. The interim rule defines new obligations for defense contractors to immediately undertake cybersecurity “Assessments” and formally implements the Cybersecurity Maturity Model Certification (CMMC) framework.
Pursuant to existing regulations, federal contractors must implement and maintain certain data security controls to protect sensitive information in their custody or control and within their supply chain. For instance, FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, requires contractors and their subcontractors to implement a basic level of security controls when processing federal contract information in or from covered contractor information systems.
In addition, DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors and their subcontractors to provide “adequate security” when processing controlled unclassified information (CUI) and to notify DoD if any CUI is compromised or is subject to a cyber incident. More specifically, the clause requires contractors to meet or exceed the information security requirements set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Interim Rule and Cybersecurity Requirements
Generally, DoD enforces compliance with its cybersecurity regulations by having contractors self-attest to meeting the security requirements therein. Although in some instances a contractor may receive an award without having to fully implement all security requirements set forth in NIST SP 800-171, it must draft a “Plan of Action” setting forth its strategy and timeline for doing so. To address this shortcoming (and others), DoD’s interim rule creates a two-pronged approach that focuses on new DoD Assessments and the CMMC.
The interim rule adds DFARS clauses 252.204-7019 and 252.204-7020 to address certain data security assessments that contractors must undertake. In particular, all organizations that are already required to comply with NIST SP 800-171 pursuant to a defense contract will now be required by the new DFARS clauses to complete a Basic Assessment and to submit their assessment scores to the Supplier Risk Management System, which is DoD’s source for supplier and product performance information. The Basic Assessment is a self-assessment undertaken by the contractor using a specific scoring methodology meant to inform DoD how many security requirements the contractor has not yet implemented. An organization that has fully implemented all 110 security controls set forth in NIST SP 800-171 would receive a score of 110. An organization that has not implemented all 110 requirements will receive a score of 110 minus the total value assigned to each unimplemented requirement. To be considered for award, a contractor must have a current Basic Assessment on file with DoD, which will verify the contractor’s Assessment prior to award. The Basic Assessment is valid for three years.
After a defense contract is awarded, DoD may choose to conduct a Medium or High Assessment if the contractor is collecting sensitive government information or is involved in certain defense programs. Under the Medium and High Assessments, DoD personnel will assess the contractor’s system security plan (SSP) description of how each NIST SP 800-171 requirement is satisfied, will identify any descriptions that may not properly address the requirements, and may access the contractor’s facilities and interview its employees to facilitate this process. In the event DoD undertakes a High Assessment, the contractor must affirmatively demonstrate its SSP to DoD for compliance purposes.
The interim rule also amends the DFARS by adding a new clause, DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirement, which requires every defense contractor to have a specified certification under the CMMC and to maintain it for the duration of the contract. The CMMC framework consists of information security processes and practices, which align to the following five certification levels within the CMMC:
- Level 1: Consists of the 15 basic safeguarding requirements from FAR 52.204-21.
- Level 2: Consists of 65 security requirements from NIST SP 800-171, seven CMMC practices and two CMMC processes.
- Level 3: Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices and three CMMC processes.
- Level 4: Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices and four CMMC processes.
- Level 5: Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices and five CMMC processes.
Defense contractors that do not process or retain CUI must obtain a CMMC Level 1 certification. Contractors that process, store or transmit CUI must achieve CMMC Level 3 or higher, depending on the sensitivity of the information associated with a program or the technology being developed. DoD will implement CMMC requirements over a span of approximately five years.
CMMC assessments will be conducted by CMMC Third-Party Assessment Organizations (C3PAOs), and after successfully completing an assessment, the contractor will be awarded a certification by an independent CMMC Accreditation Body (CMMC-AB). If the contractor disputes the outcome of a C3PAO assessment, it may submit a dispute adjudication request to the CMMC-AB, which is required to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO. If the contractor does not accept the CMMC-AB’s preliminary finding, it may request an additional assessment by the CMMC-AB.
Although there are many concerns related to the interim rule, especially regarding the highly technical security requirements set forth in the CMMC, contractors should consider the following high-level issues when undergoing the Basic Assessment process and seeking appropriate certification levels under the CMMC.
Know your data. As the interim rule makes clear, to achieve a specific CMMC level, a contractor “must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level” and that it can satisfy the same “for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.” Accordingly, a contractor should seek to identify and consolidate all sensitive government information to minimize the number of systems, networks and devices necessary to perform its business operations and to minimize where compliance-related costs and efforts need to be allocated.
Assessment timelines. According to the interim rule, there is an “urgent need for DoD to immediately begin assessing where vulnerabilities in its supply chain exist and take steps to correct such deficiencies,” which is accomplished through DoD’s Basic Assessment process. Accordingly, while the interim rule does not take effect until November 30 and the implementation of CMMC compliance is planned to take place over a five-year period, contractors and subcontractors subject to DFARS 252.204-7012 (and NIST SP 800-171) are “encouraged to immediately conduct and submit” a Basic Assessment to DoD.
Budgeting and internal resources. The interim rule describes the annual costs an organization should expect to incur to comply with the DoD Assessment and CMMC frameworks, which depend upon the organization’s level of sophistication and size and the level of compliance needed. These costs could range from $75 to $110,000 per year. Accordingly, a contractor should ensure that it identifies the proper personnel and resources (including funding) needed to ensure compliance with DoD’s interim rule (and expected final rule).
Subcontracting terms. Contractors will be required to “flow down the appropriate CMMC certification requirement to subcontractors throughout the entire supply chain.” Accordingly, a defense contractor must ensure that its subcontracts are drafted to include the necessary DFARS “flow down” clauses, and that it has the appropriate internal processes and procedures to conduct the corresponding diligence necessary to ensure that its entire supply chain complies with the clauses.
Comments on the interim rule. DoD will consider and assess any comments it receives by November 30 from the general public about the interim rule as it formulates its final revisions to the DFARS. However, based on its previous statements, we do not anticipate that the interim rule will undergo substantial changes before it is finalized.
FOR MORE INFORMATION
For more information, please contact:
Joseph R. Berger
Francis E. (Chip) Purcell, Jr.
Steven G. Stransky
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.