CMMC Ruling : November 2021
Stricter oversight and assurance of DoD data
On the 4th November 2021 the DoD announced CMMC 2.0 to enhance the protection, oversight, and assurance of DoD data. The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.
While these rulemaking efforts are ongoing, the Department intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation.
The exact implementation date of CMMC requirements by defence contractors is yet not know. It can take up to 2 years to pass the appropriate acquisition legislation to affect the necessary changes to implement the CMMC proposal announced in November 2021. The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.
Existing DFARS cybersecurity regulations are enforceable
The CMMC 2.0 program does not affect the existing DFARS regulations 252.204-7012, DFARS 252.024-7019 and DFARS 252.204-7020 added in November 2020. The implementation and flow down of NISP SP 800-171 cybersecurity practices is required by defence contractors and subcontractors before a DoD contract can be awarded. Furthermore the DFARS clauses added in November 2020 are enforceable for contract award, oversight and assurance by the DoD, specifically
DFARS clause 252.204 – 7019. Contractors and subcontractors are to assess their ‘basic’ compliance to NIST SP 800 – 171 and the associated 110 security practices. Posting their compliance results into the DoD Supplier Performance Risk System (SPRS).
DFARS clause 252.204 – 7020.
- Contractors are to provide access to their facilities, systems and personnel. Enabling the Defence Contract Management Agency (DCMA) to undertake ‘medium’ and ‘high’ level assessments of NIST SP 800-171 compliance.
- Contractors also have to ensure that applicable subcontractors have a current NISP SP 800 – 171 assessment posted in SPRS.
It is an important ruling for the US DoD, its Defence Industry Base (DIB), cyber security, legal and procurement professionals. Setting a precedence for cyber security, implementing a standard which has global reach and direct economic influence on the DIB and the countries in which they are located. The ruling addresses the failings identified through various audits and assessments in DFARS 252.204-7012, to secure critical defence information including defence IP, which is managed through Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The ruling will create new DFARS Clauses, complimenting the existing clause 252.204 – 7012 to formalise the deployment, oversight and assurance of NIST SP 800 – 171 and additional cyber security practices for CMMC.
DFARS clause 252.204 – 7019. Contractors and subcontractors are to to assess their compliance to NIST SP 800 – 171 and the associated 110 security practices. Posting their compliance results into the DoD Supplier Performance Risk System (SPRS).
DFARS clause 252.204 – 7020. Contractors are to provide government with access their facilities, systems and personnel. Contractors also have to ensure that applicable subcontractors have a current NISP SP 800 – 171 assessment posted in SPRS.
DFARS clause 252.204 – 7021. Cybersecurity Maturity Model Certification (CMMC) require contractors and subcontractors to have an appropriate CMMC certificate of compliance and maintain it for the life of a contract.
Contractors will be required to have up to date NIST SP 800 – 171 assessment results and CMMC certification (if required by the DoD contract) posted in the SPRS system before a contract award is made.
Assessing compliance to NIST SP 800-171
The DoD Assessment Methodology (DAM). Current compliance to NIST SP 800 – 171 can be carried out following the DoD Assessment Methodology (DAM). In February 2019 the Office of the Under Secretary of Defence for Acquisitions and Sustainment (OUSD A&S) directed the Defence Contract Management Agency (DCMA) to develop a standard methodology to assess contractor implementation of the requirements in NIST SP 800 – 171. This methodology produces a consistent measure scoring model which is intended to be used and accepted by multiple US government agencies. The methodology is described in DoD Assessment Methodology version 1.2.1.
The DAM is to be used by contractors, subcontractors, and DoD personnel to assess compliance to the 110 NIST SP 800 – 171 practices at a basic, medium, and high level. Calculating the net effect of compliance to the practices documented within NIST SP 800 – 171. The assessments are at three levels basic, medium and high, assessed using NIST SP 800 – 171A ‘Assessing Security requirements for CUI’ and will review appropriate evidence and/or demonstration of compliance (e.g. recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).
- Basic – Contractors are required to complete a self-assessment of their compliance to the 110 security practices in NIST SP 800-171. Based on a review of the system security plan(s) associated with covered contractor information system(s), conducted in accordance with NIST SP 800-171 DoD Assessment Methodology (current version 1.2.1). It calculates a net impact score of practice compliance.
- Medium – A NIST SP 800-171 assessment will be conducted by DoD personnel and consist of a review of the System Security Plan(s) and how the 110 defined requirements have been met. Identifying descriptions which may not properly address the security requirements. It is anticipated that the assessment is conducted as part of a separately scheduled visit.
- High – An assessment will be conducted by DoD personal and involve a thorough onsite visit or virtual assessment. It will involve a verification/ examination/ demonstration of the System Security Plan and implementation of the 110 NIST 800 – 171 security requirements.
The results of the basic, medium and high-level DoD assessment are to be documented in the US DoD Supplier Performance Risk System(SPRS) and available to all of Government for use in their procurement actions. Once posted, these scores are visible to the assessed organization and their existence is to be confirmed prior to awarding a contract. The DoD assumes that the burden of the basic level self-assessment will be low for contractors and subcontractors. The view is that the requirements for compliance have been in place and tested through self-attestation since the DFARS 252.204 – 7012 clause was to have been fully implemented by the end of 2017. Where requirements have not yet been implemented, they are to be documented in System Security Plans and Plans of Action (POAs).
Medium and high – level assessments will be intrusive. A medium assessment will review a contractor and subcontractors System Security Plan and descriptions of how each requirement is met to evaluate compliance to the 110 security requirements and may require an onsite visit. For both medium and high – level assessments contractors and subcontractors will be required to substantiate their basic assessments, provide evidence of compliance and system testing in line with their System Security Plan(s) and Plans of Action. With the results of both medium and high-level assessments being input into SPRS by the DoD.
which contractors should use to assess their compliance to NIST SP 800 – 171 security practices and that of their subcontractors.
Impact of the ruling on the Defence Industry Base (DIB)
The ruling will have a significant impact on the DoD supply chain and it DIB. Following a review by the DoD using NAICS codes and awards that included the DFARS clause 252.204 – 7012, there is an expectation that the top 5 industries impacted by the rule will be Research and Development in the Physical, Engineering, and Life Sciences, Engineering Services, Commercial and Institutional Building Construction, Other Computer Related Services and Facilities Support Services. Sectors which are serviced by international contractors and subcontractors and the ruling is explicit in its reference of the role of contractors and subcontractors in providing adequate protection to the storage, processing, and transmission of CUI.
The ruling is complex, the most salient points of consideration from the ruling are that it;
- Assumes that contractors and subcontractors who are required to comply with DFARS 252.204 – 7012 have either implemented the 110 NIST SP 800 – 171 security practices or identified gaps in compliance, assessed against their System Security Plan(s) and covered these by a Plan of Action.
- Assumes that the cost of CMMC compliance will be minimal and based upon the incremental costs of compliance above the existing requirements mapped to the relevant CMMC maturity level. There will be additional cost element to comply with additional CMMC practices at level 2, 3, 4 and 5 as additional CMMC practices are applied.
- Contractors are required to flow-down DFARS Claus 252.204 – 7012 to subcontractors through contractual agreements. The result of which is the flow down of CUI related information, the application and oversight of NIST SP 800 – 171 and the appropriate security requirements.
- On formal release of the ruling, contractors and subcontractors processing CUI will be required to submit a current ‘basic’ assessment of their compliance to NIST SP 800 – 171 (following the DoD assessment methodology) into SPRS, before a new contract is awarded. Contractors will be expected to ensure that applicable subcontractors have submitted their assessments of NIST SP 800 – 171 compliance into SPRS prior to the awarding of a subcontract or other contractual instrument. ‘Medium’ and ‘high’ level assessments will be carried out by the DoD personnel, including a relevant programme office and the DCMA.
- The new DFARS clause 252.204 – 7020 will require contractors to provide US government access to their facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level DoD assessment. DFARS clause 252.204 – 7020 will require contractors to ensure that applicable subcontractors have the results of a current NIST SP 800 – 171 assessment posted in SPRS.
- Upon formal release of the ruling and prior to CMMC programme completion (1st October 2025). If a contract award includes CMMC requirements, a certificate of CMMC compliance for the specified level will be required before the contract is awarded. From the 1st of October 2025, all contractors and subcontractors will require a CMMC certificate of compliance before they are awarded a DoD contract.
- The new DFARS Clause 252.204 – 7021 requires contractors to have a CMMC certification at the level required in the solicitation or contract award and maintain the required CMMC level for the duration of the contract. Including the clause in all subcontracts and ensure that its subcontractors have the appropriate CMMC level prior to awarding a subcontract and include the requirements of the clause in all subcontracts or other contractual instruments.
- In the case where the DoD assessment methodology is used, if a POA is in place for unimplemented security requirements (partial or otherwise) it will result in the security requirement being considered as unimplemented. POAs are not accepted to achieve CMMC compliance.
- Assessments using the DoD assessment methodology and CMMC certifications are valid for 3 years.
- Contractors and subcontractors will require an upto date NIST SP 800 – 171 assessment posted in the DoDs SPRS and/ or a CMMC certificate. Before a contract award will be made.