The latest updates and analysis from Morrison Foerster
September 30, 2020 - Cybersecurity & Data Privacy

Department of Defense Issues CMMC Interim Rule, Setting up a Two-Part Process for Review of Contractor IT Systems

DOJ Cyber-Fraud Initiative Highlights Potential Civil Liability for Failing to Meet Federal Cybersecurity Requirements

On September 29, 2020, the Department of Defense (DoD) issued a long-anticipated interim rule implementing its Cybersecurity Maturity Model Certification (CMMC) program.  The rule introduces a new mandatory construct, the DoD Assessment Methodology, to serve as an interim certification process before contractors undergo a full CMMC review.  A full description of the interim rule and what it means for DoD contractors follows.  The interim rule becomes effective November 30, 2020, although full implementation of CMMC will not be achieved until 2025.

******

The interim rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) to achieve phased implementation of both the newly required assessment methodology and the CMMC framework.  The NIST SP 800-171 DoD Assessment Methodology, is a standard approach to assess contractor implementation of the cybersecurity requirements in the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171.  The Cybersecurity Maturity Model Certificate (CMMC) Framework is a DoD certification process that measures a company’s further implementation of cybersecurity processes and practices beyond NIST SP 800-171.

DoD Assessment Methodology

The current DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is required in all DoD contracts except those solely for commercial off-the shelf (COTS) items. Under the -7012 clause, contractors must apply the cybersecurity requirements of NIST SP 800-171 to “covered contractor information systems,” which are generally those that store, process, generate, transmit or access DoD-related controlled unclassified information (CUI), which DoD terms “covered defense information.”  Presently, contractors and any of their subcontractors with access to “covered defense information” self-certify as to compliance with the clause through acceptance of the clause in contracts and subcontracts.

The DoD Assessment Methodology requirement was developed to address perceived flaws in this self-assessment process.  The Methodology involves three levels – Basic, Medium, and High – which reflect the level of confidence DoD has in the assessment, and uses a scoring methodology that takes into account how many of the 110 NIST SP 800-171 controls a contractor has fully implemented.

Basic assessments are to be performed by the contractor, using the specified DoD Assessment Methodology.  The results are reported to a Defense Information Systems Agency-run database, the Supplier Performance Risk System (SPRS).  Medium and High assessments will be performed by various DoD components (including the Defense Contract Management Agency) under specific circumstances. These DoD components will also report results of the Medium and High reviews to SPRS.

The SPRS database will be accessible throughout DoD.  Beginning November 30, 2020, contracting officers will be required to check the database to confirm that an entity that is required to implement NIST SP 800-171 has an active SPRS Assessment prior to the award of a new contract or exercise of an option under an existing contract.  SPRS Assessments are good for three years, and must be renewed prior to expiration in order for DoD contractors to maintain eligibility for contract awards.  Assessments must be completed for each contractor IT system used in connection with a DoD contract.

The new contract clauses DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, describe the assessment process, and the latter clause requires contractors to provide the government access to its facilities, systems, and personnel when higher-level reviews are required.  Both clauses are to be included in all solicitations and contracts after November 30, 2020, including those for commercial items, unless solely COTS products are involved.

The DFARS 252.204-7019 clause walks contractors through the logistics for performing and reporting a Basic DoD Assessment.  As part of the process, each contractor must supply the following information with respect to each system being assessed:  system security plan name, CAGE code, brief description of plan architecture, date of assessment, total score, and date that a score of 110 will be achieved.  Contractors that have fully implemented all 110 NIST SP 800-171 security requirements will be able to report the highest possible score of 110.  Others will merit a lower score depending how many and which requirements are unimplemented.  DoD has indicated that it is requesting this detail so that contractors can no longer leave security controls unaddressed indefinitely.  Now contractors and subcontractors that store, process, generate, transmit or access covered defense information must establish enforceable timelines to address any compliance gaps.

DoD will select contractors for Medium and High review post-award, based on the critical nature of the program involved or particular sensitivity of information being handled by the contractor.  The interim rule states that DoD expects to assess 200 entities a year at the Medium level of review and 110 at the High level.

With the SPRS information, DoD components will have visibility into contractors’ current levels of compliance without having to undertake contract- or program-specific reviews.  There will also be a single source for information, which will eliminate duplicative, and possibly conflicting, assessments by different DoD components.

DFARS 252.204-7019 does not contain a flowdown provision, but the substance of DFARS 252.204-7020 must be flowed down to all subcontractors (except COTS suppliers).  The clause further directs that prime contractors are required to ensure that applicable subcontractors (i.e., those that must meet NIST SP 800-171 requirements) have a current DoD Assessment posted in SPRS.

CMMC Implementation

With the interim rule, DoD is phasing in the rollout of CMMC.  All contracts over the micropurchase threshold (except for COTS) will require CMMC certification beginning September 30, 2025.  Until then, the DoD, specifically, the Office of the Under Secretary of Defense for Acquisition and Sustainment, will decide which solicitations will include the CMMC requirement and the new associated DFARS clause at 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

CMMC assessments will be conducted by designated and specially trained CMMC Third Party Assessment Organizations (C3PAOs).  Once the C3PAO has completed an assessment, the contractor is awarded a certification at the appropriate certification level by the CMMC Accreditation Body (AB).  These certifications will be included in the same SPRS database as the DoD Assessment Methodology reviews.  Also as with the DoD Assessment reviews, CMMC certifications will be good for three years.  Once CMMC is in effect, contracting officers cannot make contract awards, or exercise an option on a contract, if the offeror or contractor does not have a current certification at the CMMC level required under the applicable solicitation or contract.

The various CMMC levels build upon one another.  Level 1, the most basic level, is the equivalent of the current FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  Level 2 has more requirements, but is not as robust as Level 3, which includes all 110 NIST SP 800-171 requirements, plus an additional 20 CMMC practices and three CMMC processes.  Levels 4 and 5 represent a significant increase in complexity, with far more practices and processes, which are designed to reduce the risk of Advanced Persistent Threats or attacks by adversaries using multiple, sophisticated techniques.  The requirements for each level are described in the CMMC model.

CMMC review can pertain to a contractor’s entire enterprise network or the contractor can elect to have particular network segments or enclaves that will store, process, generate or transmit contract-related information to be evaluated separately (and potentially each at different levels).

Where it appears in current contracts, and in all cases after October 1, 2025, the DFARS 252.204-7021 clause is a mandatory flowdown to subcontractors at all tiers.  The level of CMMC certification that will apply to any given subcontractor, however, will be based on the sensitivity of the information provided to that subcontractor.  The interim rule does not specify whether the government or the contractor will make this determination, but implies that this will be the contractor’s responsibility.

Open Questions and Other Interesting Aspects of the Interim Rule

Subject to the caveat that the final rule may alter the new clause requirements, our preliminary review of the interim rule leads to a few observations:

  • Although this rule has been years in the making, DoD issued it as an interim rule, rather than in draft form, because it made a determination that urgent and compelling circumstances so required. Although DoD has solicited comments, contractors should not expect the final rule to vary significantly from the current interim posture.  Minor clarifications are far more likely than any major policy shift.
  • Beginning November 30, 2020, contracting officers will need to confirm that an entity has an active SPRS Assessment in order to award a new contract or exercise an option under an existing contract where the offeror or contractor is required to implement NIST SP 800-171. Previously, contracting officers have not had to determine whether or not contracts require implementation of NIST SP 800-171, because the -7012 clause was simply inserted into every contract.  How are contracting officers going to make this determination?  In some instances, where extensive covered defense information is involved in contract performance, this may be obvious.  Less obvious, however, may be where the contractor performs its work, and whether covered defense information actually passes through the contractor’s systems.
  • The purpose of the DoD Assessment rating number and level is unclear. As drafted, the interim rule and new regulations only require contracting officers to make sure that an offeror has a current DoD Assessment prior to making award.  Yet what happens if the Assessment score is very low?  Can this be a basis for rejection of an offer?  Can a contracting officer assign more risk and therefore give less evaluation credit to a company with a Basic score below 110?  Or can the contracting officer rate more highly a company with a Medium or High posture even though companies cannot control whether they will be subjected to Medium or High Assessments?  Review will be done post-award in the first instance, but results will be in SPRS thereafter for use with other programs.
  • Because the DoD Assessment Methodology applies not only to new awards but also to the exercise of options, will existing contracts be modified to include DFARS 252.204-7019 and 252.204-7020, or will the clauses only appear in solicitations, and resultant contracts, after the November 30, 2020 effective date for the rule?
  • DoD indicates in the interim rule that it expects 129,810 unique entities will receive a CMMC assessment in the next five years, until CMMC is required for all contractors and subcontractors. This is a highly specific number; it would be informative to the contracting community to know how this estimate was derived so that companies can estimate the timing of their CMMC reviews.
  • DoD states that CMMC will conduct an onsite assessment for every level of review, including Level 1. The possibility of a virtual review for Level 1 assessments had been discussed, but ultimately DoD has concluded that an onsite assessment would be useful to verify implementation of security practices and also to officially identify contractors and subcontractors in the DoD supply chain.  It is not clear how this onsite review will work for contractors and subcontractors outside the U.S.; presumably, C3PAOs will be available worldwide.
  • DoD states that it considered requiring CMMC certification prior to submission of an offer, or after contract award, but ultimately settled on the interim position that an offeror must be certified to the requisite CMMC level at the time of contract award. DoD has invited comment on its decision, perhaps suggesting that it is not wed to this position.
  • At one point, DoD had taken the position that CMMC certification requirements would apply to all DoD contracts, including those involving COTS items. This interim rule indicates that the agency has been persuaded that application to COTS contractors is unnecessary and unduly burdensome.
  • DoD has stated that it does not intend to issue any contracts that require CMMC Level 2 certification, leaving Level 2 as merely a meaningless way station between Levels 1 and 3. So seemingly the only contractors that will be certified at Level 2 will be those that fail to meet the Level 3 requirements.
  • Speaking of CMMC levels, prime contractors are apparently supposed to select the appropriate level for their subcontractors (which may differ from the prime contract level), yet the interim rule and applicable DFARS clauses provide no guidance as to how this is to be accomplished.
  • Likewise, primes must verify that their subcontractors have DoD Assessments and, later, CMMC certifications, yet primes will not have access to the SPRS database, except to review their own submissions. Prime contractors will need to create certification requirements for their subcontractors, and/or ask for copies of subcontractors’ SPRS entries in order to meet this verification requirement.
  • Despite the lack of public access, the security of the information in the SPRS database is unclear. DFARS 252.204-7019(d)(3)(iii) states that documentation related to a High Assessment will be considered CUI and protected against unauthorized release, with specific reference to FOIA Exemption 4 for confidential and trade secret information.  However, information pertaining to other assessment levels need only be protected in accordance with a DoD Instruction on sharing supplier information.  DFARS 252.204-7019(d)(3)(i); DFARS 252.204-7020(f)(1).  DoD does not state it will treat this information as CUI.

What do you contractors and subcontractors need to do now?

As with any major regulatory change, contractors need some clear and immediate direction in terms of next steps and timing.  We therefore would offer, in roughly descending order of priority, the following recommendations:

  • Familiarize yourself with the DoD Assessment and prepare to perform a Basic self-assessment. At least based on the language of the interim rule, assessment results must be reported to SPRS in order for your company to receive an award after November 30, 2020.
  • If you are not required to implement NIST SP 800-171 security controls because your company does not store, process, generate, transmit or access covered defense information on its systems, be prepared to document why you do not need to conduct a DoD Assessment.
  • Plans of Action and Milestones are now risky, as they will lower your Basic DoD Assessment Score and will not be permissible at all under CMMC. Where possible, cybersecurity compliance gaps should be addressed and resolved in the next 60 days.
  • Speak with the program and contracting leadership for upcoming procurements (consistent with Procurement Integrity rules, of course) to get a sense of whether the opportunities may include CMMC requirements.
  • Continue to prepare for CMMC certification at the level appropriate for your work and systems, with the understanding that for some contractors, the certification process may be several years away.