DFARS and CMMC: Protecting the DIB and DoD supply chain

Defence procurement

The United States Department of Defense (DoD) invests significant amounts of money ($1.8Tn planned) in new weapons systems such as aircraft, ships, ground fighting vehicles and satellites and in new IT systems and capabilities to be delivered through prototypes or new procurement pathways.  In addition to the annual procurement of offensive and defensive systems for front line fighting forces such as the Air Force, Army and Navy.  These activities create, modify and manufacture existing and new technologies and Intellectual Property (IP) on many diverse digital platforms, that reside in DoD suppliers across the Defence Industry Base (DIB).  Platforms that are required to be secure under DFARS 252.204-7012 if they store, process or transmit Controlled Unclassified Information (CUI).

Cyber events over the past 2 years have confirmed that DoD IP has been lost to Nation States and could damage the effectiveness of the offensive and defensive capabilities of the US.  It has been estimated by the Council of Economic Advisers in their 2018 report published by the Office of the President of the USA, that the cost of malicious cyber activity on the US economy in 2016 was between $56Bn and $109Bn.  Alongside which the intangible costs of cyber-attacks on the DIB will be felt through the loss, damage or destruction of IP.  Impacting US competitive advantage, having an associated economic impact to DIB contractors, the flow of products and services through DoD supply chains and potentially impact front line fighting forces if US IP is used for both offensive and defensive purposes by an adversary.

Defence Federal Acquisition Requirements Supplement (DFARS)

DFARS is a comprehensive suite of regulations setting out the expectations for the procurement and supply of products and services to the US military.  Within these regulations is DFARS 48 CFR § 252.204-7012 (Safeguarding covered defense information and cyber incident reporting), that defines the need for the implementation of NIST (SP) 800 – 171 (currently revision 2).  NIST SP 800-171 is a comprehensive set of cybersecurity practices for the protection of Controlled Unclassified Information (CUI).  All CUI categories are described in the US National Archives Controlled Unclassified Information (CUI) Registry.

Cybersecurity Maturity Model Certification (CMMC) – Why

Under DFARS 252.204-7012 regulations DIB contractors and their subcontractors have been expected to be complying to the NIST (SP) 800-171 practices(31.12.2017).  However DFARS 252.204-7012 was not being complied to by the DIB, highlighted by various Government Accountability Office (GAO) and DoD inspector General (DoDIG), concluding in general weapon system were both not cyber secure and the DIB was not adhering to the requirements defined in DFARS 252.204-7012.  To address this the DoD raised a formal DFARS case in 2019 – D041 ‘Strategic Assessment and Cybersecurity Certification Requirements’.  Initiating the process to implement a methodology for assessing DoD contractor’s compliance against NIST (SP) 800–171, the protection of Controlled Unclassified Information (CUI) and the reporting of cyber incidents.

In November 2021 the DoD revised CMMC 1.0 issuing CMMC 2.0, publishing an Advanced Notice of Proposed Rulemaking (ANPR) on the 17th November 2021.  Significantly changing CMMC 1.0 to reflect concerns raised by industry.

DFARS 252.204-7012 (regulation) and CMMC 2.0 (legislation) – Scope and applicability

DFARS 252.204-7012, 7019 and 7020 (enforceable regulation)

DFARS 252.204-7012 that came into force on the 31st of December 2017 and remains in place, requiring impacted organisations to implement NIST SP 800-171 cyber security practices, self attest to compliance, report cyber incidents to the DoD and requires contractors to flow down the DFARS 252.204-7012 clause to their subcontractors.  On the 30th November 2020 the CMMC interim final ruling introduced DFARS 252.204-7019 and DFARS 252.204-7020.

DFARS 252.204-7019 and 7020 were added to DoD procurement regulations.

  • DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) – Contractors and subcontractors must submit a basic NIST SP 800 – 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
  • DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.

Contractors will not be awarded DoD contracts and should not award subcontractors unless a NIST SP 800-171 score is held in SPRS.

CMMC 2.0 (legislation)

CMMC 2.0 addresses concerns raised by industry and the oversight and assurance gaps within CMMC1.0 and DFARS 252.204-7012.  For the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) and incident reporting.  As specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21.  The CMMC 2.0 proposed ruling defines 3 levels of cybersecurity compliance to be achieve by defence contractors.  Each level details the required number of cybersecurity practices that must achieve based upon a given DoD contract.  

  • Level 1.  Requires self-attestation against 17 NIST SP 800-171 cybersecurity practices. 
  • Level 2.  Requires compliance against NIST SP 800-171 with either self-attestation or a third part assessment.  Dependent upon the data being processed stored or transmitted by the contractor or subcontractor.   
  • Level 3. Will require adherence to NIST SP 800-171 and NIST SP 800-172 practices and an assessment completed by the DoD.   

CMMC 2.0 will be applicable to DoD contractors and subcontractors, following existing DFARS 252.204-7012 (m) ‘flow down’ requirements from contractors to subcontractors.  Contractors and subcontractors will have to confirm that they meet the cybersecurity maturity level defined by the DoD within the Request For Proposal (RFP), submitting compliance to the DoD.  The DoD will only accept CMMC certificated issued by accredited CMMC assessor before contract award.

It will take between 9 and 24 months to complete the legislative process to include CMMC 2.0 in DoD contracts.  However DFRAS 252.204-7012, 7019 and 7020 are applicable and the implementation of NIST SP 800-171 is required by DoD contractors and subcontractors.  Who must continue to input their compliance scores tot he DoDs Supplier Performance Risk System (SPRS) ahead of contract award.

Chartered Security Professional (CSyP)The Institute of Mechanical Engineers (IMECHE). The UKs largest professional body representing Mechanical Engineers and Chartered Engineers.Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts