Updated Cybersecurity Assessment Requirements for Federal Contractors
On September 29, 2020, the US Department of Defense (DoD) released the highly anticipated interim rule (“Interim Rule”) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC). This new Interim Rule is effective November 30, 2020, in advance of promulgation of a future final rule. (DFARS Case 2019-D041; 85 FR 61505.)
NEW INTERIM COMPLIANCE OBLIGATION: COMPLIANCE CERTIFICATION UNDER NIST 800-171
The most significant change in the Interim Rule is the introduction of the new obligation for federal contractors to either self-certify or obtain a third-party assessment methodology to certify contractor compliance with cybersecurity requirements. (Click here for McDermott’s analysis.) Pursuant to the Interim Rule, beginning November 30, 2020, all contractors and subcontractors who accept contracts containing DFARS clause 252.204-7012 will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology for initial assessments, and update those assessments every three years.
This framework expands on existing requirements for federal contractors, as set forth by DFARS Clause 242.204-7012 and NIST Special Publication (SP) 800-171.
NIST SP 800-171 ASSESSMENT METHODOLOGY
The NIST Assessment Methodology is designed to enable the federal government to assess its prime contractors and for the prime contractors to assess their subcontractors.
To qualify for new contract awards after the implementation date of the Interim Rule, contractors and subcontractors are required to have an assessment on record within the last three years (or more recently for certain contracts). (Interim Rule, 85 FR at 61506.)
The methodology provides for three types of assessments. (Assessment Methodology at 3-5.)
Basic. Basic Assessments are self-assessments performed by the contractor or the subcontractor against the 110 controls of NIST SP 800-171. A Basic Assessment provides only a minimum level of confidence in the resulting score because it is a self-assessment.
Medium. Medium Assessments are performed by DoD-trained personnel, who assess the contractor’s system security plan to determine how each requirement is met and identify any measures that may not properly address security requirements. These assessments provide a medium level of confidence in the resulting score.
High. High Assessments are performed by DoD-trained personnel using NIST SP 800-171A. The assessors review evidence and demonstrations of compliance with the 110 controls of NIST SP 800-171. On-site assessments are preferred, but the methodology allows for virtual assessment with the same methodology as the on-site assessment with added data protections. These assessments provide the highest confidence level in the resulting score.
All contractors (and applicable subcontractors) will be required to execute a self-assessment of compliance at the Basic Assessment level. The federal government will determine if an additional Medium or High Assessment will be necessary. The results of all applicable assessments are recorded in the Supplier Performance Risk System and are valid for up to three years.
All levels of NIST Assessment use the same scoring system. A score of 110 represents full implementation of the NIST SP 800-171 controls, regardless of the method of implementation. Deductions from 110 are made for each control not implemented at the time of the assessment, with weights assigned to different controls. (Assessment Methodology at 7; 48 CFR 252.204-7020 (85 FR 61521–22).)
Each assessment begins with the contractor’s System Security Plan(s) (SSP). The SSP is a document that defines the controls applicable to a system with a given boundary. A contractor may define one SSP for its entire technical environment or may define multiple SSPs if controls differ across segments of the environment. The multiple SSP approach allows a contractor to designate a specific technical environment for processing controlled unclassified information (CUI) and thus limits the scope of the assessment. The NIST Assessment methodology requires the existence of an SSP. Without an SSP, no assessment can proceed, even at the basic level.
PHASE-IN OF CMMC CERTIFICATION REQUIREMENTS
Between November 30, 2020, and October 1, 2025, federal contracts will phase in requirements for CMMC certification in place of the NIST Assessment. By October 1, 2025, all applicable federal contractors and subcontractors will be required to have CMMC certification. (Interim Rule 85 FR at 61511.)
The Interim Rule also introduces DFARS subpart 204.75, which specifies the policy and procedures for awarding a contract requiring CMMC certification during the CMMC phase-in period. The CMMC certification process for contractors and assessors as CMMC Third-Party Assessment Organizations (C3PAO) are managed by the CMMC Accreditation Body (CMMC AB). There are five levels of CMMC certification, with level 3 aligning closely to the NIST SP 800-171 framework (full discussion here). The Interim Rule clarifies that for applicable contracts, CMMC certification must be provided at the time of the award. (Interim Rule 85 FR at 61406–7.) Further public comment has been requested on this timing, as the government contemplated requiring certification at the time of the proposal or after the award.
All new prime contractors and applicable subcontractors who contract under DFARS clause 252.204-7012 will need to be fully prepared to fulfill the Basic Assessment requirement as of November 30, 2020, to qualify for future contract awards.
The government may require Medium and/or High Assessments for any contract. Contractors should begin to prepare for the self-assessment process immediately, as remediation activities could result in significant time and costs in light of the more stringent requirements associated with higher levels of compliance. Current contractors involved in classified or sensitive contracting environments would be well served to ensure that an assessment team is in place, SSP(s) have been completed for every relevant environment and the team, including counsel, has a thorough understanding of the assessment requirements in preparing for future contract opportunities.
Federal contractors and subcontractors should continue to monitor the CMMC process and leverage the self-assessment process to prepare for their anticipated level of CMMC certification. Although CMMC certification is not required until the contract is awarded, just as with the self-assessments, remediation activities can be costly, and should not be allowed to delay acceptance of contract awards.
Contractors who are ready to be certified will have a competitive advantage for the growing number of CMMC-requiring contracts over the next five years.