Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

New York

Washington, D.C.

core/separator

core/heading

core/list

On September 29, the U.S. Department of Defense (DoD) issued an <a href="https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf" target="_blank" rel="noopener">interim rule</a> to amend the Defense Federal Acquisition Regulation Supplement (DFARS) and impose new data security requirements on contractors. The interim rule defines new obligations for defense contractors to immediately undertake cybersecurity “Assessments” and formally implements the Cybersecurity Maturity Model Certification (CMMC) framework.

contentpilot/introduction

Pursuant to existing regulations, federal contractors must implement and maintain certain data security controls to protect sensitive information in their custody or control and within their supply chain. For instance, FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, requires contractors and their subcontractors to implement a basic level of security controls when processing federal contract information in or from covered contractor information systems.

core/paragraph

In addition, DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors and their subcontractors to provide “adequate security” when processing controlled unclassified information (CUI) and to notify DoD if any CUI is compromised or is subject to a cyber incident. More specifically, the clause requires contractors to meet or exceed the information security requirements set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Interim Rule and Cybersecurity Requirements

Generally, DoD enforces compliance with its cybersecurity regulations by having contractors self-attest to meeting the security requirements therein. Although in some instances a contractor may receive an award without having to fully implement all security requirements set forth in NIST SP 800-171, it must draft a “Plan of Action” setting forth its strategy and timeline for doing so. To address this shortcoming (and others), DoD’s interim rule creates a two-pronged approach that focuses on new DoD Assessments and the CMMC.

The interim rule adds DFARS clauses 252.204-7019 and 252.204-7020 to address certain data security assessments that contractors must undertake. In particular, all organizations that are already required to comply with NIST SP 800-171 pursuant to a defense contract will now be required by the new DFARS clauses to complete a Basic Assessment and to submit their assessment scores to the Supplier Risk Management System, which is DoD’s source for supplier and product performance information. The Basic Assessment is a self-assessment undertaken by the contractor using a specific scoring methodology meant to inform DoD how many security requirements the contractor has not yet implemented. An organization that has fully implemented all 110 security controls set forth in NIST SP 800-171 would receive a score of 110. An organization that has not implemented all 110 requirements will receive a score of 110 minus the total value assigned to each unimplemented requirement. To be considered for award, a contractor must have a current Basic Assessment on file with DoD, which will verify the contractor’s Assessment prior to award. The Basic Assessment is valid for three years.

After a defense contract is awarded, DoD may choose to conduct a Medium or High Assessment if the contractor is collecting sensitive government information or is involved in certain defense programs. Under the Medium and High Assessments, DoD personnel will assess the contractor’s system security plan (SSP) description of how each NIST SP 800-171 requirement is satisfied, will identify any descriptions that may not properly address the requirements, and may access the contractor’s facilities and interview its employees to facilitate this process. In the event DoD undertakes a High Assessment, the contractor must affirmatively demonstrate its SSP to DoD for compliance purposes.

The interim rule also amends the DFARS by adding a new clause, DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirement, which requires every defense contractor to have a specified certification under the CMMC and to maintain it for the duration of the contract. The CMMC framework consists of information security processes and practices, which align to the following five certification levels within the CMMC:

Defense contractors that do not process or retain CUI must obtain a CMMC Level 1 certification. Contractors that process, store or transmit CUI must achieve CMMC Level 3 or higher, depending on the sensitivity of the information associated with a program or the technology being developed. DoD will implement CMMC requirements over a span of approximately five years.

CMMC assessments will be conducted by CMMC Third-Party Assessment Organizations (C3PAOs), and after successfully completing an assessment, the contractor will be awarded a certification by an independent CMMC Accreditation Body (CMMC-AB). If the contractor disputes the outcome of a C3PAO assessment, it may submit a dispute adjudication request to the CMMC-AB, which is required to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO. If the contractor does not accept the CMMC-AB’s preliminary finding, it may request an additional assessment by the CMMC-AB.

Although there are many concerns related to the interim rule, especially regarding the highly technical security requirements set forth in the CMMC, contractors should consider the following high-level issues when undergoing the Basic Assessment process and seeking appropriate certification levels under the CMMC.

Know your data. As the interim rule makes clear, to achieve a specific CMMC level, a contractor “must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level” and that it can satisfy the same “for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.” Accordingly, a contractor should seek to identify and consolidate all sensitive government information to minimize the number of systems, networks and devices necessary to perform its business operations and to minimize where compliance-related costs and efforts need to be allocated.

Assessment timelines. According to the interim rule, there is an “urgent need for DoD to immediately begin assessing where vulnerabilities in its supply chain exist and take steps to correct such deficiencies,” which is accomplished through DoD’s Basic Assessment process. Accordingly, while the interim rule does not take effect until November 30 and the implementation of CMMC compliance is planned to take place over a five-year period, contractors and subcontractors subject to DFARS 252.204-7012 (and NIST SP 800-171) are “encouraged to immediately conduct and submit” a Basic Assessment to DoD.

Budgeting and internal resources. The interim rule describes the annual costs an organization should expect to incur to comply with the DoD Assessment and CMMC frameworks, which depend upon the organization’s level of sophistication and size and the level of compliance needed. These costs could range from $75 to $110,000 per year. Accordingly, a contractor should ensure that it identifies the proper personnel and resources (including funding) needed to ensure compliance with DoD’s interim rule (and expected final rule).

Subcontracting terms. Contractors will be required to “flow down the appropriate CMMC certification requirement to subcontractors throughout the entire supply chain.” Accordingly, a defense contractor must ensure that its subcontracts are drafted to include the necessary DFARS “flow down” clauses, and that it has the appropriate internal processes and procedures to conduct the corresponding diligence necessary to ensure that its entire supply chain complies with the clauses.

Comments on the interim rule. DoD will consider and assess any comments it receives by November 30 from the general public about the interim rule as it formulates its final revisions to the DFARS. However, based on its previous statements, we do not anticipate that the interim rule will undergo substantial changes before it is finalized.

Mona Adabi 202.263.4147 <a href="mailto:Mona.Adabi@ThompsonHine.com">Mona.Adabi@ThompsonHine.com</a>

Joseph R. Berger 202.263.4193 <a href="mailto:Joseph.Berger@ThompsonHine.com">Joseph.Berger@ThompsonHine.com</a>

Tom Mason 202.263.4168 <a href="mailto:Thomas.Mason@ThompsonHine.com">Thomas.Mason@ThompsonHine.com</a>

Ray McCann 202.263.4152 <a href="mailto:Ray.McCann@ThompsonHine.com">Ray.McCann@ThompsonHine.com</a>

Francis E. (Chip) Purcell, Jr. 202.263.4118 <a href="mailto:Chip.Purcell@ThompsonHine.com">Chip.Purcell@ThompsonHine.com</a>

Steven G. Stransky 216.566.5646 202.263.4126 <a href="mailto:Steve.Stransky@ThompsonHine.com">Steve.Stransky@ThompsonHine.com</a>

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Government_Contracts_Update_-_DoD_Publishes_Interim_Cybersecurity_Rule_on_CMMC_and_DoD_Assessments.pdf

DoD Publishes Interim Cybersecurity Rule on CMMC and DoD Assessments

Services