DoD Issues Interim Rule Implementing CMMC and a NIST SP 800-171 Assessment
By: Lori Lange
Published Date: September 30, 2020
On September 29, 2020, the Department of Defense (DoD) issued its long anticipated interim rule implementing the Cybersecurity Maturity Model Certification (CMMC) framework. 85 FR 61505 (Sep. 29, 2020). Along with issuing a new DFARS clause to implement CMMC, DoD also added a new requirement that covered contractors have a NIST SP 800-171 DoD Assessment. Both provisions of the interim rule are discussed below.
CMMC is a certification program established by DoD that is designed to assess government contractors’ implementation of cybersecurity requirements and to measure a contractor’s ability to protect certain unclassified information. Under CMMC, defense contractors (except those selling commercially available off-the-shelf (COTS) items) must be certified by accredited CMMC Third Party Assessment Organizations (C3PAOs) for the CMMC level specified in the solicitation to be eligible for a DoD contract award. CMMC certifications are valid for three years.
The interim rule adds a new DFARS clause – DFARS 225.204-7021, Contractor Compliance with the Cybersecurity Maturing Model Certification Level Requirement – to implement CMMC. When the clause is included in a solicitation and the resulting contract, it requires the contractor to: (1) be certified to at least the specified certification level prior to contract award; (2) maintain the required certification level for the duration of the contract; (3) ensure that subcontractors have the “appropriate” CMMC level prior to subcontract award; and (4) flow the clause down to subcontractors.
CMMC is being rolled out in phases. Until September 30, 2025, defense contractors only will need to be CMMC certified if the solicitation and contract requires certification. The interim rule does not identify any criteria to be used by the contracting officers in determining whether to include CMMC certification in the solicitation and resulting contract. However, it does require that there be approval from the Office of the Undersecretary of Defense for Acquisition and Sustainment before CMMC requirements can be included in a solicitation and contract during the phase in period.
Starting on or after October 1, 2025, all defense contractors will need to be CMMC certified as a condition of contract award except for those defense contractors selling commercially available off-the-shelf (COTS) items.
The interim rule does not provide for retroactive implementation for CMMC requirements on existing defense contracts. Nor does it apply to procurements other than DoD procurements. However, contractors should review all new solicitations on which they intend to bid to see if there are CMMC requirement as other government agencies may elect to impose CMMC requirements.
The interim rule does address some issues that have concerned contractors including the disputes process for challenging a CMMC C3PAO assessment. The interim rule states that contractors can dispute the outcome of a C3PAO assessment by submitting a dispute adjudication request to the CMMC Accreditation Body (CMMC-AB) along with supporting information related to claimed “errors, malfeasance, or ethical lapses” by the C3PAO. The CMMC-AB will use a formal process to review the request and provide a preliminary evaluation to both the contractor and C3PAO. The contractor may further challenge the CMMC-AB’s preliminary finding by requesting an additional assessment by the CMMC-AB staff.
Other concerns, however, were not fully addressed. For example, while the interim rule requires contractors to be CMMC certified prior to award, it does not address whether this is a pass/fail or substantive evaluation. In other words, can a contractor who has a higher level certification be evaluated more favorably? Also, is CMMC certification a matter of contractor responsibility that is not subject to protest?
Also, while the interim rule requires that prime contractors ensure that their subcontractors have the “appropriate” CMMC level prior to awarding a subcontract, it provides little guidance on what is appropriate. The interim rule only advises that subcontractors who process, store, or transmit Controlled Unclassified Information (CUI) must have a Level 1 or higher certification, while subcontractors who do not, only need a Level 1 certification.
NIST SP 800-171 DoD Assessment Methodology
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to apply the security controls of NIST SP 800-171 to covered contractor information systems. Currently, DoD does not audit or otherwise verify the contractor’s compliance. The interim rule, however, establishes a requirement that contractors have an assessment of their compliance with the NIST SP 800-171 security controls before the award of a new contract or the exercise of an option or contract extension when the contractor is required to implement NIST SP 800-171 under DFARS 252.204-7012. Specifically, Contracting Officers are required to verify that the contractor has a current (not older than three years) assessment on record prior to award.
The interim rule creates two new DFARS clauses to implement the NIST SP 800-171 Assessment Requirement. DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, notifies contractors of the requirement to have an assessment, the contents of each assessment, and the procedure to obtain one. DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, requires contractors to provide access to their facilities, systems, and personnel necessary if DoD decides to conduct an assessment.
There are three assessment levels – Basic, Medium, and High. A Basic Assessment is the contractor’s self-assessment of its implementation of NIST SP 800-171 through its system security plan using the NIST SP 800-171 DoD Assessment Methodology. The Basic Assessment tells DoD how many security requirements the contractor has not yet implemented. The contractor’s score is based on the number of NIST SP 800-171 security requirements implemented. A contractor who has implemented all 110 controls will have a score of 110. A contractor who has unimplemented controls must use the scoring methodology to assign a value to each unimplemented control, add up those values, and subtract the total value from 110 to determine its score. According to DoD, the Basic Assessment will assist contractors in reviewing their system security plans prior to and in preparation for either a DoD NIST SP 800-171 assessment or a CMMC assessment.
While a Basic Assessment is done by the contractor, DoD may perform either a Medium or High Assessment after contract is awarded based on the criticality of the program or the sensitivity of information being handled by the contractor. A Medium Assessment involves a review of the contractor’s Basic Assessment, a “thorough document review”, and discussion with the contractor to obtain additional information or clarification. A High Assessment is the same as a Medium Assessment with the addition of verification, examination, and demonstration of the contractor’s system security plan to validate that the NIST SP 800-171 controls have been implemented as described in the plan. In the interim rule, DoD stated that it expects to conduct Medium and High Assessments on a finite number of contractors each year and estimates that 200 contractors will undergo a Medium Assessment and 110 contractors will undergo a High Assessment.
Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order. The results of assessment are documented in DoD’s Supplier Performance Risk System (SPRS). Contracting Officers can access SPRS to verify that the contractor has a current assessment on record prior to contract award. Since it will take 30 days to post an assessment score in SPRS, contractors should ensure they conduct and submit their Basic Assessments in a timely manner.
DoD will provide the contractor with its Medium and High Assessment summary level scores and offer the contractor the opportunity for rebuttal and adjudication of assessment summary level scores prior to posting the summary level scores to SPRS. The contractor has 14 business days after completion of the assessment to submit additional information demonstrating that the contractor met any security requirements not observed by the assessment team or to rebut any findings that may be of question.
As with CMMC implementation, the interim rule does not address some key issues regarding the NIST 800-171 assessment. For example, the interim rule does not indicate whether there is a minimum score the contractor has to receive to be eligible for award. DFARS 252.204-7019 and DFARS 252.204-7020 merely require the contractor identify a date by which it expects to achieve a score of 110 as part of its Basic Assessment.
Another issue involves subcontractor assessments. The prime contractor cannot award a subcontract subject to the NIST SP 800-171 security contracts unless the subcontractor has a current NIST SP 800-171 assessment. While the prime contractor will be able to review any DoD-performed assessments of their own systems in SPRS, it does not have access to subcontractor assessments. Thus, the contractor will not be able to independently verify the subcontractor’s compliance with NIST SP 800-171.
The interim rule is effective November 30, 2020. Interested parties may submit comments on the interim rule by November 30, 2020. Comments may be submitted through www.regulations.gov under DFARS Case 2019-D041.