CMMC 2.0: Impact of DFARS CMMC
Regulatory requirements of DFARS 252.204-7012, 7019 and 7020
DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” came into effect on the 31st December 2017. Requiring DoD contractors affected globally by DFAR 252.204-7012 to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. DFARS 252.204-7012 requires that contractors implement NIST SP 800-171 to protect systems and networks that process, store, or transmit “covered defense information”. The clause also requires contractors to ‘flow down’ the requirements of NIST SP 800-171 to their subcontractors to implement the 110 cybersecurity practices, for the protection of Controlled Unclassified Information (CUI) and incident reporting.
In November 2020 additional relevant DFARS clauses were added to evaluate compliance to the cybersecurity requirements outlined in DFARS 252.204-7012. DFARS 252.204-7019 and 7020 were introduced to provide the mechanism for the DoD to provide oversight and assurance of compliance to NIST SP 800-171, to enable the DoD protect the war fighter. DFARS 252.204-7012, 7019 and 7020 have global reach, and have a direct economic impact on the DIB and the countries in which they are located. Through contractual flow-down of DFARS 252.204-7012 and prior to DoD contractor award DFARS 7019 and 7020 require.
- Contractors and subcontractors impacted by DFARS 252.204-7012, and that process CUI complete a ‘basic’ assessment of their NIST SP 800-171 compliance. They are required to submit their assessment to the DoD Supplier Performance Risk System (SPRS), before a new contract is awarded.
- Contractors are to confirm that applicable subcontractors have completed an assessment of NIST SP 800-171 compliance and submitted their scores into SPRS, prior to the awarding a subcontract or other contractual instrument.
- Prepare for a ‘Medium’ and ‘high’ level assessments of contractor and subcontractor compliance with NIST SP 800-171. To be carried out by DoD personnel, including a relevant programme office and the DCMA remotely or on site.
- Contractors and subcontractors to use the DoD assessment methodology (DAM) to assess NIST SP 800-171 compliance in accordance with NIST SP 800-171A.
Impact of CMMC 2.0 legislation
There is no confirmed date for when CMMC 2.0 will be formalised and added to DoD contracts, following a process that is expected to take between 9 and 22 months. CMMC 2.0 does not replace DFARS 252.204-7012, 7019 or 7020, these DFARS requirements as yet remain in place. CMMC 2.0 adds 3 levels of cyber security compliance, Level 1, 2 and 3.
- CMMC 2.0 Level 1 “Foundational” contractors will be required to comply to 17 “basic cyber hygiene” security practices from NIST SP 800-171 and will not require a certification of compliance. Level 1 impacts organizations that only handle Federal Contract Information (FCI) and it removes assessment cost for organizations that do not maintain CUI. But an annual self-assessment of network practices in accordance with the basic NIST SP 800-171 requirements will be sufficient to ensure compliance. Contractors maintaining Level 1 certification will be required to assess their compliance to the 17 cybersecurity practices and upload into the DoD Supplier Performance Risk System (SPRS).
- CMMC 2.0 Level 2 “Advanced” certification will require affected organisations to adhere NIST SP 800-171 security controls. Level 2 certification will be split into two subgroups based on the level of criticality of the information possessed by the contractor. Contractors who hold CUI consisting of “Critical National Security Information” will be required to undergo third-party assessments every three years. Select programs will instead be allowed to demonstrate compliance through self-assessments.
- CMMC 2.0 Level 3 “Expert”, which parallels the original CMMC’s Level 5, consists of contractors who hold CUI and are involved with the “highest priority, most critical defense programs.” Contractors holding Level 3 certification will be required to comply with more than 110 practices based on NIST 800-172. The DoD will conduct its own Level 3 assessments, likely to be completed by the Defence Contract Management Agency (DCMA) every three years.
Consistent with the current DFRAS 252.024-7012, 7019 and 7020 regulations contractors and subcontractors must provide their compliance scores to the DoD SPRS System before a contract or subcontract is awarded.
Figure 1: CMMC 2.0 Model