On September 29, 2020, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework. The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program. The rule becomes effective November 30, 2020. We have written previously on NIST 800-171 and the CMMC here and here respectively.
DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements. Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.
Current Regulatory Landscape
FAR 52.204–21, “Basic Safeguarding of Covered Contractor Information Systems,” requires federal contractors and subcontractors to apply basic safeguarding requirements when processing, storing, or transmitting Federal Contract Information (FCI) in or from covered contractor information systems. DFARS 252.204-7012, “Safeguarding Covered Defense Information And Cyber Incident Reporting,” requires defense contractors to provide “adequate security” for covered defense information which “at a minimum” requires contractors to “implement” NIST 800-171. DoD has interpreted “implement” to mean that a contractor must create a System Security Plan that explains whether the contractor is in compliance with each of the 110 security controls and a Plan of Action and Milestones (POA&M) that describes how the contractor will attain full compliance for any control not yet met.
Following a number of high profile cyber incidents involving defense programs, the DoD IG conducted a series of contractor audits and concluded that some DoD contractors were not consistently implementing mandated system security requirements or advancing their POA&Ms to achieve full compliance with all 110 security controls. Because of these identified shortcomings in cyber hygiene and the associated risks to national security, DoD has developed a two-pronged approach to assess and verify the ability of contractors to protect the controlled unclassified information (CUI) on their information systems. Those two prongs are: (1) compliance assessment using the NIST 800-171 DoD Assessment Methodology in the near term, and (2) certification under the CMMC Framework as a longer term remediation.
NIST SP 800-171 DoD Assessment Methodology
The interim rule adds two clauses that impose requirements for assessments of contractor compliance with the NIST SP 800-171 DoD Assessment Methodology. New DFARS provision 252.204–7019 is a solicitation clause that advises offerors that they must have a current (not older than three years) assessment on record in a Government database called the Supplier Performance Risk System (SPRS). This clause is required in all DoD solicitations except for those solely for the acquisition of commercially available off-the-shelf (COTS) items.
New DFARS clause 252.204–7020 designates the NIST 800-171 DoD Assessment Methodology (“Assessment Methodology”) that contractors need to use when conducting Basic Assessments. This methodology was first introduced in a November 2019 Memorandum from Under Secretary of Defense (Acquisition and Sustainment) Ellen Lord and a version of this has been used by the Defense Contract Management Agency when auditing individual contractors. DFARS 252.204-7020 is also required in all solicitations and contracts, except for those solely for the acquisition of COTS items.
DoD Assessments may be conducted at one of three levels: (1) Basic, (2) Medium, and (3) High. Basic Assessments will be required in new contract actions, including option exercises, after November 30, 2020. After a contract is awarded, DoD may choose to conduct a Medium or High Assessment of a contractor “based on the criticality of the program or the sensitivity of information being handled by the contractor.” There is no further guidance on how that decision will be made or how long after award DoD can decide to conduct the assessment. The Assessment levels are defined in the interim rule as follows:
- Basic Assessment: This is a self-assessment by contractors using the NIST 800-171 DoD Assessment Methodology. A company that has fully implemented all 110 NIST SP 800–171 security requirements, would receive a score of 110 to report in the SPRS for its Basic Assessment. A company that has controls where it has not achieved compliance will use the scoring in the Methodology to assign a value to each unimplemented requirement. The starting score of 110 is reduced by each requirement not implemented. Requirements are weighted differently based on their impact to the covered contractor information system, thus a contractor may receive a negative score depending on which controls have not been implemented. With the exception of two requirements for which the scoring of partial implementation is built-in (multifactor authentication and FIPS-validated encryption) the methodology is not designed to credit partial implementation. Within 30 days of conducting the Basic Assessment, contractors must provide the Government, by posting in the SPRS, with the summary level score and the date certain when the contractor will achieve full compliance with all 110 security requirements. The Basic Assessment results in a confidence level of “Low” because it is a self-generated score.
- Medium Assessment: This is an assessment conducted by the Government that includes a review of the contractor’s Basic Assessment, a thorough document review, and discussions with the contractor to obtain additional information or clarification as needed. Contractors must provide the Government access to their facilities, systems, and personnel as needed by the Government to conduct the assessment. This assessment results in a confidence level of “Medium” in the resulting score.
- High Assessment: This Assessment includes everything in the Medium Assessment, as well as verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST 800-171 security requirements have been implemented as described in the plan. Contractors must provide the Government access to their facilities, systems, and personnel as needed to conduct the Assessment. This Assessment results in a confidence level of “High” in the resulting score.
DoD will provide contractors with a summary score for Medium and High Assessments. Contractors that disagree with their scores will have 14 days to provide a rebuttal. The interim rule does not provide guidance on how these rebuttals will be resolved. Before awarding a contract, contracting officers must review the SPRS to ensure a contractor has a current Assessment but does not address whether the summary score could impact an award decision. The interim rule lays out this new requirement as a discriminator in the contracting process as it requires that contractors have at least a Basic Assessment at the time of award to be eligible. Assessments are current for three years, unless a lesser time is specified in the solicitation.
Contractors must flow-down these requirements to all subcontracts except those for COTS items. Additionally, a contractor may not award a subcontract unless the subcontractor has a current assessment in the SPRS. Because contractors only have access to their own information, contractors may need to rely on certifications from subcontractors for this requirement.
Although the rule is not effective until November 30th, the preamble encourages contractors and subcontractors that are required to implement NIST SP 800-171 pursuant to DFARS clause 252.204-7012 to immediately conduct and submit a self-assessment as described in the interim rule so as to avoid any delays in future contract awards.
The interim rule adds a new DFARS subpart, Subpart 204.75, Cybersecurity Maturity Model Certification (CMMC), to specify the policy and procedures for awarding a contract, or exercising an option on a contract, that includes the requirement for a CMMC certification. The CMMC has five levels, with each solicitation to detail the level required for performance. Self-assessments will not be accepted for purposes of CMMC certifications. To achieve a specific CMMC level, a contractor must demonstrate both process institutionalization/maturity and the implementation of security controls (practices) consistent with that level. Contractors must be assessed by accredited CMMC Third Party Assessment Organizations (C3PAOs), which are currently in the process of being trained as assessors. (Currently, there are no C3PAOs authorized to assess and certify contractors.) After the CMMC Assessment, the contractor will be awarded a certification by the CMMC Accreditation Body (AB) at the appropriate CMMC level. This certification level will be documented in the SPRS and is valid for three years from certification.
If a contractor disputes the outcome of a C3PAO assessment, the contractor may submit a dispute adjudication request to the CMMC–AB “along with supporting information related to claimed errors, malfeasance, or ethical lapses by the C3PAO.” The interim rule states that the CMMC–AB “will follow a formal process to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO.” If the contractor still disagrees with the CMMC–AB preliminary finding, the contractor may request an additional assessment by the CMMC–AB staff. There is no detail in the interim rule as to how these challenges will be conducted.
The CMMC will be rolled out over a few years. Until fully implemented, the Office of the Under Secretary of Defense for Acquisition and Sustainment will be responsible for designating which procurements will be designated for CMMC compliance. By October 1, 2025, all contracts with DoD, other than contracts exclusively for COTS items, will be required to have the CMMC Level identified in the solicitation.
If a solicitation has a CMMC requirement, the interim rule requires contractors to have a current CMMC certification at the time of award. The interim rule requires contracting officers verify an offeror or contractor’s CMMC certification level though the SPRS. Eventually, all contractors and subcontractors will need to obtain a CMMC certification at some level; as at a minimum, each solicitation will require a CMMC Level 1 certification.
CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor. The interim rule does not provide any detail on what level of CMMC must be flowed to subcontractors–the level of the procurement or the level associated with the data flowed to the subcontractor and/or who determines that level. As a general rule, defense contractors that do not process, store, or transmit CUI, must obtain a CMMC Level 1 certification, while defense contractors that process, store, or transmit CUI must achieve at least a CMMC Level 3 or higher certification, depending on the sensitivity of the information associated with a program or technology being developed by the contractor or subcontractor. Additionally, contractors may not award a subcontract before ensuring that the subcontractor has a current CMMC certification at the CMMC level that is appropriate for the information that is being flowed down to the contractor.
Because the results of the Assessment and the CMMC certification will be posted in the SPRS, all DoD Components will have visibility into this information when contemplating contractor eligibility for an award without needing to contact the contractor directly. Additionally, DoD indicates that the two assessments should not duplicate efforts from each assessment, or from any other DoD assessment, except in “rare circumstances” where re-assessment is necessary to ensure current compliance. It is unclear what will constitute a rare circumstance.
The interim rule permits the government access to contractor systems along with confidential and sensitive information. Although such access is permitted under the current DFARS rule for a cyber-incident, the access under the interim rule is much broader and involves access by non-government personnel. There may be some value to the creation of something akin to a bank examiner privilege. In general, the bank examiner privilege protects certain information and communications shared between financial institutions (and their agents and employees) and certain regulators.
Currently, contractors can have a POA&M in place to address deficient NIST 800-171 security controls. DoD is now seeking a date from contractors by when they will be fully compliant. Under the CMMC framework, POA&Ms will not be used; instead, contractors must fully implement each practice (control) and process of a particular level to be certified.
The interim rule leaves contractors with many questions both as to the new Assessment requirements and to the implementation of the CMMC. We have noted some key open questions below.
Assessments – For the Assessment process, it is unclear whether and how contractors will be permitted to update Assessments if changes occur in their cybersecurity posture. Likewise, how DoD will make the determination that a Medium or High Assessment is necessary, or how long after award DoD can decide to conduct such an Assessment is not specified in the interim rule. Although the interim rule provides contractors fourteen days to rebut the results of a Medium or High Assessment, the rule is short on details for how contractors can demonstrate that they meet any security requirements not observed by the assessment team or rebut the findings that may be of question. Similarly, if the Assessment was done incorrectly, it is not clear whether contractors will have any recourse to recoup the costs incurred. The rule points contractors to the SPRS User’s Guide, but the User Guide does not provide much detail on how contractors should provide this additional information and what would be persuasive to the Government.
Given that cybersecurity is an evolving situation at most companies, it is likely that contractors will be working to update their practices and processes. There is no guidance on whether and how a contractor can update its Basic Assessment or obtain a new Medium or High Assessment if the contractor remediates the issues that arose during the Assessment.
CMMC – Many questions remain as to how the CMMC process, CMMC–AB, and the C3PAOs will actually operate. For example, DoD still has not provided guidance on how it will choose which procurements will be subject to CMMC or how the level will be assigned once a procurement is selected as subject to CMMC.
Questions remain as to how conflicts of interest will be addressed for both the CMMC–AB and the thousands of assessors. Likewise, the interim rule provides no insight for how the DOD and the CMMC–AB will ensure consistency among the C3PAOs performing the audits. For example, will there be an audit process to ensure that C3PAOs are consistent and comprehensive in their assessments?
As with Assessments, details on how the CMMC–AB will resolve contractor disputes with regard to certifications are limited. Even with guidance, the CMMC–AB is a private 501(c)(3) corporation and it remains unclear what level of protection the CMMC–AB gains from its Memorandum of Understanding and expected no-cost contract with DoD, should a contractor seek to elevate a dispute about its certification to a court proceeding. Some of this may depend on the level of oversight that DoD retains over the CMMC–AB and the C3PAOs.
The preamble to the interim rule provides limited information on the costs for implementing CMMC certifications except to say that it “will be driven by multiple factors including market forces, the size and complexity of the network or enclaves under assessment, and the CMMC level.” As the AB is still undergoing the process of determining the rules that would apply for appeals or disputes on certification levels received by C3PAOs, there remains little guidance for contractors who may need to certify in the first round of implementation. Similarly, it is unclear how pricing will be set by the C3PAOs and whether it will be monitored by DoD or consistent across the market.
Finally, it remains unclear how a prime contractor determines what certification level is most appropriate to require of its subcontractors when flowing down the requirements or whether DoD will provide additional guidance on how to ensure the appropriate level is achieved without leading to the cautionary practice of prime contractors requiring over-certification for suppliers and small business subcontractors. Finally, additional guidance on whether and to what extent CMMC will impact flow downs to cloud service providers is needed given their different treatment under the current DFARS rule.
The interim rule will take effect November 30, 2020, but current and prospective Government contractors have an important opportunity to engage with Government stakeholders, particularly on these open questions. Comments on the interim rule will be due November 30, 2020. DoD is specifically soliciting comments on the effect of requiring CMMC certification at the time of award on small businesses.
 Available at https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf.