CMMC Interim Final Rule: A 2 part ruling securing DoD data
Stricter oversight and assurance of DoD data
On the 29th of September 2020 the DoD released the Interim Final Ruling (IFR) for DFARS Case D041 to enhance the protection, oversight, and assurance of DoD data. With an effective date of the 1st December 2020.
It is an important ruling for the US DoD, its Defence Industry Base (DIB), cyber security, legal and procurement professionals. Setting a precedence for cyber security, implementing a standard which has global reach and direct economic influence on the DIB and the countries in which they are located. The ruling addresses the failings identified through various audits and assessments in DFARS 252.204-7012, to secure critical defence information including defence IP, which is managed through Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The ruling will create new DFARS Clauses, complimenting the existing clause 252.204 – 7012 to formalise the deployment, oversight and assurance of NIST SP 800 – 171 and additional cyber security practices for CMMC.
DFARS clause 252.204 – 7019. Contractors and subcontractors are to to assess their compliance to NIST SP 800 – 171 and the associated 110 security practices. Posting their compliance results into the DoD Supplier Performance Risk System (SPRS).
DFARS clause 252.204 – 7020. Contractors are to provide government with access their facilities, systems and personnel. Contractors also have to ensure that applicable subcontractors have a current NISP SP 800 – 171 assessment posted in SPRS.
DFARS clause 252.204 – 7021. Cybersecurity Maturity Model Certification (CMMC) require contractors and subcontractors to have an appropriate CMMC certificate of compliance and maintain it for the life of a contract.
Contractors will be required to have up to date NIST SP 800 – 171 assessment results and CMMC certification (if required by the DoD contract) posted in the SPRS system before a contract award is made.
A 2 part ruling – DoD Assessment Methodology and CMMC
The IFR sets out 2 core requirements, working in parallel to address the oversight and assurance of contractor and subcontractor compliance for the protection of CUI and FCI data across the DIB. It formalises both the DoD Assessment Methodology (DAM) for NIST SP 800 – 171 compliance and the adoption of the CMMC framework.
Part 1 – The DoD Assessment Methodology (DAM). In February 2019 the Office of the Under Secretary of Defence for Acquisitions and Sustainment (OUSD A&S) directed the Defence Contract Management Agency (DCMA) to develop a standard methodology to assess contractor implementation of the requirements in NIST SP 800 – 171. This methodology produces a consistent measure scoring model which is intended to be used and accepted by multiple US government agencies. A methodology as described in DoD Assessment Methodology version 1.2.1, which contractors should use to assess their compliance to NIST SP 800 – 171 security practices and that of their subcontractors.
Part 2 – The CMMC Framework. Section 1648 of the National Defense Authorisation Action for Fiscal year (FY) 2020 (Pub L. 116-92) directed the Secretary of Defence to develop a cybersecurity framework for the DIB sector, resulting in the CMMC as the basis for a mandatory DoD standard. The aim of the CMMC framework is to build upon the NIST SP 800 – 171 DoD Assessment Methodology through independent assurance and oversight. Adding scalability and certification to verify that contractors and subcontractors have implemented NIST SP 800 – 171. To a level appropriate to the DoD contract, which will be defined by the DoD in association with the CUI data and information which the contractor and their subcontractors will create, manage and store.
The DoD proposes to add CMMC requirements into contracts starting in 2021, initially targeting 15 prime contracts.
The DoD Assessment Methodology (DAM)
The DAM is to be used by contractors, subcontractors, and DoD personnel to assess compliance to the 110 NIST SP 800 – 171 practices at a basic, medium, and high level. Calculating the net effect of compliance to the practices documented within NIST SP 800 – 171. The assessments are at three levels basic, medium and high, assessed using NIST SP 800 – 171A ‘Assessing Security requirements for CUI’ and will review appropriate evidence and/or demonstration of compliance (e.g. recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).
- Basic – Contractors are required to complete a self-assessment of their compliance to the 110 security practices in NIST SP 800-171. Based on a review of the system security plan(s) associated with covered contractor information system(s), conducted in accordance with NIST SP 800-171 DoD Assessment Methodology (current version 1.2.1). It calculates a net impact score of practice compliance.
- Medium – A NIST SP 800-171 assessment will be conducted by DoD personnel and consist of a review of the System Security Plan(s) and how the 110 defined requirements have been met. Identifying descriptions which may not properly address the security requirements. It is anticipated that the assessment is conducted as part of a separately scheduled visit.
- High – An assessment will be conducted by DoD personal and involve a thorough onsite visit or virtual assessment. It will involve a verification/ examination/ demonstration of the System Security Plan and implementation of the 110 NIST 800 – 171 security requirements.
The results of the basic, medium and high-level DoD assessment are to be documented in the US DoD Supplier Performance Risk System(SPRS) and available to all of Government for use in their procurement actions. Once posted, these scores are visible to the assessed organization and their existence is to be confirmed prior to awarding a contract. The DoD assumes that the burden of the basic level self-assessment will be low for contractors and subcontractors. The view is that the requirements for compliance have been in place and tested through self-attestation since the DFARS 252.204 – 7012 clause was to have been fully implemented by the end of 2017. Where requirements have not yet been implemented, they are to be documented in System Security Plans and Plans of Action (POAs).
Medium and high – level assessments will be intrusive. A medium assessment will review a contractor and subcontractors System Security Plan and descriptions of how each requirement is met to evaluate compliance to the 110 security requirements and may require an onsite visit. For both medium and high – level assessments contractors and subcontractors will be required to substantiate their basic assessments, provide evidence of compliance and system testing in line with their System Security Plan(s) and Plans of Action. With the results of both medium and high-level assessments being input into SPRS by the DoD.
CMMC – CUI and FCI
The ruling formalises oversight and assurance of CUI and FCI protection into 5 levels of security maturity. Oversight of FCI data protection is defined at CMMC level 1, in line with FAR 52.204–21. CMMC level 2 is an intermediate compliance level for contractors and subcontractors who process FCI and wish to bid for contracts containing CUI, progressing to level 3. CMMC level 3, 4 and 5 are applied to contractors and subcontractors processing CUI, utilising the 110 NIST SP 800 – 171 security practices as a foundation from level 3. CMMC requires security practices to be institutionalised by the contractor and subcontractor with 5 levels of maturity compliance (ML 1, 2, 3, 4 and 5) applied at corresponding CMMC levels. Evaluating practices are performed (level 1), documented (level 2), managed (level 3), reviewed (level 4), and optimised (level 5).
Incrementally each CMMC level will require compliance to an increasing number of practices and an increase in associated maturity. To achieve compliance a company must demonstrate both institutionalisation of maturity and deployment of the practices to achieve the appropriate CMMC level certification.
DFARS clause 252.204-7021 will be used in all solicitations, contracts, task orders and delivery orders to be phased in over the next five years. It requires contractors to obtain a CMMC certification at the level defined in the solicitation prior to contract award, maintain that CMMC level for the duration of the contract and ensure that its subcontractors have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments.
Impact of the ruling on the Defence Industry Base (DIB)
The ruling will have a significant impact on the DoD supply chain and it DIB. Following a review by the DoD using NAICS codes and awards that included the DFARS clause 252.204 – 7012, there is an expectation that the top 5 industries impacted by the rule will be Research and Development in the Physical, Engineering, and Life Sciences, Engineering Services, Commercial and Institutional Building Construction, Other Computer Related Services and Facilities Support Services. Sectors which are serviced by international contractors and subcontractors and the ruling is explicit in its reference of the role of contractors and subcontractors in providing adequate protection to the storage, processing, and transmission of CUI.
The ruling is complex, the most salient points of consideration from the ruling are that it;
- Assumes that contractors and subcontractors who are required to comply with DFARS 252.204 – 7012 have either implemented the 110 NIST SP 800 – 171 security practices or identified gaps in compliance, assessed against their System Security Plan(s) and covered these by a Plan of Action.
- Assumes that the cost of CMMC compliance will be minimal and based upon the incremental costs of compliance above the existing requirements mapped to the relevant CMMC maturity level. There will be additional cost element to comply with additional CMMC practices at level 2, 3, 4 and 5 as additional CMMC practices are applied.
- Contractors are required to flow-down DFARS Claus 252.204 – 7012 to subcontractors through contractual agreements. The result of which is the flow down of CUI related information, the application and oversight of NIST SP 800 – 171 and the appropriate security requirements.
- On formal release of the ruling, contractors and subcontractors processing CUI will be required to submit a current ‘basic’ assessment of their compliance to NIST SP 800 – 171 (following the DoD assessment methodology) into SPRS, before a new contract is awarded. Contractors will be expected to ensure that applicable subcontractors have submitted their assessments of NIST SP 800 – 171 compliance into SPRS prior to the awarding of a subcontract or other contractual instrument. ‘Medium’ and ‘high’ level assessments will be carried out by the DoD personnel, including a relevant programme office and the DCMA.
- The new DFARS clause 252.204 – 7020 will require contractors to provide US government access to their facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level DoD assessment. DFARS clause 252.204 – 7020 will require contractors to ensure that applicable subcontractors have the results of a current NIST SP 800 – 171 assessment posted in SPRS.
- Upon formal release of the ruling and prior to CMMC programme completion (1st October 2025). If a contract award includes CMMC requirements, a certificate of CMMC compliance for the specified level will be required before the contract is awarded. From the 1st of October 2025, all contractors and subcontractors will require a CMMC certificate of compliance before they are awarded a DoD contract.
- The new DFARS Clause 252.204 – 7021 requires contractors to have a CMMC certification at the level required in the solicitation or contract award and maintain the required CMMC level for the duration of the contract. Including the clause in all subcontracts and ensure that its subcontractors have the appropriate CMMC level prior to awarding a subcontract and include the requirements of the clause in all subcontracts or other contractual instruments.
- In the case where the DoD assessment methodology is used, if a POA is in place for unimplemented security requirements (partial or otherwise) it will result in the security requirement being considered as unimplemented. POAs are not accepted to achieve CMMC compliance.
- Assessments using the DoD assessment methodology and CMMC certifications are valid for 3 years.
- Contractors and subcontractors will require an upto date NIST SP 800 – 171 assessment posted in the DoDs SPRS and/ or a CMMC certificate. Before a contract award will be made.