On Sept. 29, 2020, the Department of Defense (DoD) released an interim rule providing more information on the planned rollout of the Cybersecurity Maturity Model Certification (CMMC). The rule also introduced an immediate requirement for NIST 800-171 assessment and scoring, with submission required to DoD for review prior to a contractor being awarded a contract. While the rule provided new information, it also raised new questions about exactly what contractors need to do now to make sure their ability to win future work with DoD is not adversely impacted. Here are five key takeaways for contractors to consider.
1. CMMC IS COMING – BUT NOT AS QUICKLY AS ADVERTISED
Since early 2020, sponsors of CMMC within DoD have expressed urgency to contractors for implementing CMMC requirements, publicly stating that it would be integrated into a select number of Requests for Information (RFIs) and Requests for Proposals (RFPs) by the second half of 2020, and that contractors would need to be certified in order to be awarded associated contracts. While pilot CMMC assessments are currently being conducted, the interim rule suggests that CMMC will not be integrated into contracts until 2021. Until then, the interim rule has reverted to the existing NIST 800-171 compliance requirement of DFARS 252.204-7012 – albeit with a new self-scoring mechanism – which leads to the second key takeaway.
2. THERE IS AN IMMEDIATE CALL TO ACTION ON NIST 800-171
The interim rule will now require contractors who handle Controlled Unclassified Information (CUI) to perform a “Basic” level assessment of their cybersecurity protections, using DoD’s NIST SP 800-171 Assessment Methodology and scoring mechanism. Scoring results are to be submitted to the Supplier Risk Management System (SPRS) to be reviewed by the DoD requiring activity in advance of award of new contracts. DoD may selectively perform more in-depth assessments of their own (“Medium” or “High” level assessments) at its discretion, which the rule states could require DoD access to systems and facilities at the contractor. Contractors who do not submit their scoring results beginning Nov. 30, 2020, will not be eligible to win new contracts.
3. SCORING IS USED, BUT THERE IS NO GUIDANCE ON WHAT IS CONSIDERED A “GOOD” SCORE
DoD’s NIST SP 800-171 Assessment Methodology provides instructions for scoring their environment based upon the results of their own assessment. The maximum score is 110 (the number of control requirements in NIST 800-171), but there is no explanation of how the score will be used, other than to say will review the score as part of consideration of a contractor’s proposal. There is no transparency as to what is considered a sufficient score to win a contract, except that contractors who have not submitted a score are disqualified.
4. FLOW-DOWN OF NIST 800-171 SCORING REQUIREMENTS IS UNCLEAR
In addition to lack of understanding of a prime’s scoring, there is no clarification on how primes are expected to handle and manage their subcontractors’ scores. Currently, guidance under DFARS 252.204-7012 requires primes to flow-down CUI protections to their subcontractors, but the process to determine how to validate compliance with the rule is left to contractors in the supply chain. With introduction of the new NIST 800-171 scoring, it is unclear how contractors are expected to handle their subcontractor scores. For instance, do primes need to validate subcontractors by submitting their scores to SPRS, Or validate that the score meets a minimum threshold to use them as a sub? More guidance is needed in this area.
5. REFRAIN FROM RELIANCE ON THE COST ESTIMATES DESCRIBED
Finally, estimated costs for CMMC compliance at each maturity level have been provided, including estimates for preparing for a CMMC assessment and an actual assessment by an accredited CMMC assessment company (C3PAO). Since there are currently no accredited C3PAOs, the CMMC assessor guidance has not been released and IT environments vary dramatically in size and complexity, these estimates should not be relied upon for budgeting CMMC certification in the coming years.
CMMC – and the protection of the government’s CUI – remain highly important initiatives, and the interim rule brings us a step closer to a standardized approach to cybersecurity protection, assessment and verification. We anticipate additional guidance will be released to address many related questions; in the meantime, DoD has requested the industry provide comments during the interim period. The full rule can be found here: DFARS Case 2019-D041. For more information, you can reach out to us at firstname.lastname@example.org.