Latest Update on DoD’s CMMC Program – The Interim Rule

By:  Ron Frechette, The Cyber Coach

The twists continue to turn for Federal DoD Prime and Sub-Contractors related to the latest update on the adoption of the Cybersecurity Maturity Model Certification (CMMC) program. On September 29, 2020, the Defense Acquisitions Regulation System, DoD issued an Interim Rule that appears to be serving as a bridge that crosses over into the full implementation of CMMC, which is expected to be in full effect by October 2025.  Jason Miller of the Federal News Network, posted an article recently that paints a fairly accurate picture of the DoD’s current state of affairs related to CMMC.

Rather than focus on all the “behind the scenes” fuss, we are going to get right to the meat of the matter and provide you with the updated information you need to make good business decisions and the action steps you need to take in order to remain competitive and be in compliance with the Interim Rule and CMMC. We’ve included several links within this document that will provide detailed information directly from the sources that developed and launched the Interim Rule and CMMC.

What is The Interim Rule?

The Interim Rule, Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), states that federal contractors must now “self-certify” to verify they are compliant with NIST SP 800-171 cybersecurity requirements. This has always been the case, so no big change here.  The difference in the Interim Rule, however, is that effective November 30, 2020, three new regulations will further define contractor obligations to protect Department of Defense (DoD) Controlled Unclassified Information (CUI):

    1. DFARS 252.204-7019, Notice of NIST SP800-171 DoD Assessment Requirements
    2. DFARS 252.204-7020, NIST SP800-171 Assessment Requirements
    3. DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements

In addition to the DFARS 252.204-7021 clause, which formally begins DoD’s adoption of the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7019 and DFARS 252.204-7020 require that all contractors have and maintain a current assessment score using the DCMA assessment methodology in the DoD Supplier Performance Risk System (SPRS), and prior to awarding any contracts/subcontracts involving CUI, all contractors must confirm that a current assessment score is in SPRS. These obligations flow to all organizations in the Defense Industrial Base who manage CUI with their subcontractors.

NIST SP 800-171 Assessment Methodology

The NIST Assessment Methodology is designed to enable the federal government to assess its prime contractors and for the prime contractors to assess their subcontractors. This can be performed internally or by a qualified 3rd party cybersecurity advisor.

To qualify for new contract awards after the November 30th implementation date of the Interim Rule, contractors and subcontractors are required to have an assessment on record within the last three years. (Interim Rule, 85 FR at 61506.)

The methodology provides for three types of assessments:

  • Basic. Basic Assessments are self-assessments performed by the contractor or the subcontractor against the 110 controls of NIST SP 800-171. A Basic Assessment provides only a minimum level of confidence in the resulting score because it is a self-assessment.
  • Medium. Medium Assessments are performed by DoD-trained personnel, who assess the contractor’s system security plan to determine how each requirement is met and identify any measures that may not properly address security requirements. These assessments provide a medium level of confidence in the resulting score.
  • High. High Assessments are performed by DoD-trained personnel using NIST SP 800-171A. The assessors review evidence and demonstrations of compliance with the 110 controls of NIST SP 800-171. On-site assessments are preferred, but the methodology allows for virtual assessment with the same methodology as the on-site assessment with added data protections. These assessments provide the highest confidence level in the resulting score.

All federal prime and subcontractors will be required to execute a self-assessment of compliance at the Basic Assessment level. The federal government will determine if an additional Medium or High Assessment will be necessary. The results of all assessments are recorded in the Supplier Performance Risk System and are valid for up to three years.

All levels of NIST Assessment use the same scoring system. A score of 110 represents full implementation of the NIST SP 800-171 controls, regardless of the method of implementation. Deductions from 110 are made for each control not implemented at the time of the assessment, with weights assigned to different controls. (Assessment Methodology at 7; 48 CFR 252.204-7020 (85 FR 61521–22).)

Each assessment begins with evaluating the contractor’s System Security Plan (SSP). The SSP is a document that defines the controls applicable to a system with a given boundary. A contractor may define one SSP for its entire technical environment or may define multiple SSPs if controls differ across segments of the environment. The multiple SSP approach allows a contractor to designate a specific technical environment for processing controlled unclassified information (CUI) which decreases the scope of the assessment. The NIST Assessment methodology requires an SSP.  An assessment without a SSP cannot proceed, even at the basic level.

The Bridge Between the Interim Rule and CMMC

The Interim Rule allows federal contracts to phase in requirements for CMMC certification between November 30, 2020, and October 1, 2025 in place of the NIST Assessment.  All federal prime and subcontractors will be required to have CMMC certification by October 1, 2025. That said, we anticipate seeing the DoD CMMC [acq.osd.mil] requirements in RFIs/RFPs/Contracts in late-2020/early-2021. Addressing outstanding actions now is the best strategy for staying ahead of the curve and minimizing potential supply chain disruptions.

The Interim Rule also introduces DFARS subpart 204.75, which specifies the policy and procedures for awarding a contract requiring CMMC certification during the CMMC phase-in period. The CMMC certification process for contractors and assessors as CMMC Third-Party Assessment Organizations (C3PAO) are managed by the CMMC Accreditation Body (CMMC AB). There are five levels of CMMC certification, with level 3 aligning closely to the NIST SP 800-171 framework (full discussion here). The Interim Rule clarifies that for applicable contracts, CMMC certification must be provided at the time of the award. (Interim Rule 85 FR at 61406–7.) Further public comment has been requested on this timing, as the government contemplated requiring certification at the time of the proposal or after the award.

Immediate Interim Rule Action Steps

To avoid interruptions to future business with federal agencies or prime contractors, contractors need to take the following action immediately:

    1. Ensure you have a current DoD Assessment score in SPRS on or before November 30, 2020.
    2. If your organization’s NIST 800-171 implementation was already assessed by the DCMA (DIBCAC medium or high assessment) and you have received your score you should have satisfied this requirement.
    3. Consider requesting DCMA perform a DIBCAC Medium or High confidence assessment. The external assessment will not only document your score in SPRS, but it will also help your organization prepare for CMMC (third-party) assessment.
    4. At a minimum, determine your score through the basic assessment (self-assessment), and submit it to DoD SPRS following the regulatory guidelines.

In Closing

The Interim Rule mandates that all prime contractors and subcontractors who contract under DFARS clause 252.204-7012 will need to fulfill the Basic Assessment requirement as of November 30, 2020, to qualify for future contract awards.

Contractors should begin to prepare for the self-assessment process immediately.  Remediation activities could result in significant time and costs in light of the more stringent requirements associated with higher levels of compliance.  Contractors involved in classified or sensitive contracting environments should ensure they have an assessment team is in place, System Security Plans have been completed for every relevant environment and the entire team has a thorough understanding of the assessment requirements in preparing for future contract opportunities.

Federal contractors and subcontractors should continue to monitor the CMMC process and leverage the Interim Rule self-assessment process to prepare for their anticipated level of CMMC certification. Although CMMC certification is not required until the contract is awarded, just as with the self-assessments, remediation activities can take time to complete, and should not be allowed to delay acceptance of contract awards.

CMMC is here to stay. Contractors who are ready to be certified will have a competitive advantage for the growing number of CMMC-requiring contracts over the next five years. For more information about how GoldSky Security can assist you in becoming compliant with both the Interim Rule and CMMC, contact us direct for a free consultation.