CMMC Compliance Deadlines Looming for US Defense Contractors
The United States federal government has been working to bolster cybersecurity protections for Department of Defense (DoD) confidential unclassified information (CUI) handled and stored by companies that are part of the Defense Industrial Base (DIB). The outcome of these efforts has been the creation of the Cybersecurity Maturity Model Certification (CMMC) based on the cybersecurity framework and controls defined in NIST 800-171.
In September 2020, the DoD issued an interim rule through the Defense Federal Acquisition Regulation Supplement (DFARS) which went into effect in November 2020.
The interim rule informed DoD contractors that CMMC will be the cybersecurity framework relevant to their industry and that they, and their subcontractors, will need to provide self-assessment scores based on NIST 800-171 to the Supplier Performance Risk System (SPRS).
The DoD has planned to finalize the interim rule by December 2022, with CMMC requirements added to procurement contracts by March 2023.
Self-Assessments and SPRS Scores
As part of the CMMC rollout, the DoD introduced two new DFARS clauses, 252.204-7019 and 252.204-7020. DFARS 7019 defines the following requirements for contractors:
- Contractors bidding on new contracts, and options on their current contracts, must continue to continue to perform self-assessments and report their scores to SPRS.
- All contractors who handle CUI must perform at least a basic level assessment using NIST 800-171 assessment methodologies.
- Self-assessments will be scored with a maximum score of 110 based on the 110 controls listed in NIST 800-171.
- Companies may end up with a negative SPRS score because the DoD assessment methodology assigns more than one point to some of the controls.
- SPRS scores must be filed by the time of contract award and maintained throughout the life of the contract.
- Companies that score less than 110 must submit a Plan of Action and Milestones (POAM) detailing the actions and deadlines for remediating cybersecurity gaps detailed in the self-assessment.
- All self-assessments must have been completed within the previous 3 years.
It should be noted that while currently a SPRS score of less than 110 triggers the POAM requirement, when the DoD formalizes and implements CMMC, POAMs will no longer be acceptable for DIB companies bidding on DoD contracts.
DFARS 7020 requires that prime contractors must flow down the DFARS 7019 requirements to all subcontractors and forbids the awarding of contracts to subcontractors if they have not completed a self-assessment and submitted their SPRS score.
The only exception to this rule is in contracts for the acquisition of Commercial Off The Shelf (COTS) items.
CMMC Transition in DFARS 7021
The third change to DFARS is the inclusion of clause 7021, which details the transition from NIST 800-171 to CMMC certification. It further states that both Prime Contractors and Subcontractors must meet the required CMMC certification level by the time of contract award and must maintain the required level of certification throughout the life of the contract.
DoD Audits of Cybersecurity Postures
To demonstrate the importance of meeting cybersecurity requirements, the DoD has begun auditing more defense contractors and randomly reviewing their SPRS scores. This is to ensure that Prime Contractors and Subcontractors are not misrepresenting their cybersecurity posture or SPRS score to qualify for contract awards.
Companies that are found to be in non-compliance will face significant penalties from the DoD along with possible legal repercussions from the Department of Justice False Claims Act of the Civil Cyber Fraud Initiative.
What Does This Mean?
This means that DIB companies looking to bid on new solicitations and those who are looking to bid on options to their current contracts must prepare their organizations to meet the new cybersecurity requirements. Organizations that do not meet requirements will not be considered for contract award by the DoD.
In addition, DFARS defines three levels of assessment – Basic, or self-assessment, Medium, and High. Both the Medium and High Assessments include the requirements of the Basic assessment but give the DoD the option to audit a company’s cybersecurity posture. It is expected that organizations that will be required to meet CMMC Level 2 and Level 3 will likely be subject to a Medium or High assessment. Initially, companies required to meet CMMC Level 2 will be required to be certified by a CMMC Third Party Assessment Organizations (C3PAO). Due to the sensitivity of the CUI for organizations required to meet CMMC Level 3, it is expected that DoD officials will be performing the assessment and certification.
The DoD is expected to finalize the CMMC rollout by March 2023 with CMMC requirements added to contract solicitations by May 2023.
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019, 7020, 7021
- NIST SP 800-171 DoD Assessment Methodology
- “Securing the Defense Industrial Base” – Office of the Under Secretary of Defense, Acquisition and Sustainment Website