On September 29, 2020, the Department of Defense (DoD) issued an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the DoD's Cybersecurity Maturity Model Certification (CMMC) program and introducing the DoD Assessment Methodology, which will "assess contractor implementation of cybersecurity requirements and enhance the protection of classified information." While full implementation of CMMC is still years away, the interim rule will become effective on November 30, 2020. Thus, DoD contractors should be aware of the new requirements.
It is worth noting that the DoD issued this as an interim rule rather than as a proposed rulemaking based on a sense of urgency. The DoD stated that the "rule is necessary to address threats to the U.S. economy and national security from ongoing malicious cyber activities[.]" Specifically, the rule highlights various "shortcomings and associated risks" with its current efforts to ensure contractors maintain adequate cybersecurity measures, including a finding by the DoD's Inspector General that contractors have not consistently implemented mandatory security requirements. That said, the DoD is requesting public comment on the interim rule—which can be submitted here—on or before November 30, 2020.
DoD Assessment Methodology
Contracts containing DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, require contractors to apply the cybersecurity requirements of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to covered contractor information systems that are not part of an IT service or system operated on behalf of the government. Currently, contractors self-certify compliance with the clause. The Assessment Methodology augments that.
The Assessment Methodology determines how well a contractor has implemented the NIST SP 800-171 controls and includes three assessment levels (Basic, Medium, and High) reflecting the depth of the assessment and confidence in the resulting score. A basic assessment is a self-assessment by the contractor, but medium and high assessments are conducted by the government. In the latter scenario, the new DFARS clause 252.204-7020 requires the contractor to provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level assessment. The DoD may perform medium- or high-level assessments based on the criticality of the program or sensitivity of information handled by the contractor. For medium and high assessments, the government will provide summary-level scores to contractors and an opportunity for rebuttal and adjudication prior to posting the scores. The results of each assessment are then posted in the Supplier Performance Risk System (SPRS), which is accessible only by DoD personnel. DoD contracting officers will use SPRS to verify that an offeror is compliant prior to a contract award. These assessments are valid for three years. It is believed that approximately 300,000 companies with some level of access to controlled unclassified information (CUI) currently do business with the DoD either directly or as part of the supply chain. It is inconceivable that the DoD would have the resources to perform medium- and high-level assessments of all of these contractors. As a result, the DoD may be forced to curtail access to CUI or raise the bar for what constitutes "more sensitive CUI," to reduce the assessments to a manageable number.
The new contract clause DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, provides greater detail on the assessment process and requires contractors to ensure their applicable subcontractors have a current assessment posted in SPRS prior to awarding a subcontract.
Separate from the Assessment Methodology, the DoD's CMMC framework will require certain contractors to receive a CMMC certification to verify the contractor has implemented various cybersecurity processes and practices. The purpose of the CMMC is to give the DoD confidence that its contractors can adequately protect sensitive unclassified information, such as federal contract information (FCI) and CUI. Please note that the CMMC framework does not allow contractors to achieve compliance through plans of action, but instead requires obtaining third-party certification to a specified level that is set on a contract-by-contract basis.
After an assessment by an accredited CMMC Third Party Assessment Organization (C3PAO), contractors will receive a certification by an independent CMMC Accreditation Body (AB). (There is also a dispute adjudication process for contractors that dispute the outcome of the C3PAO assessment.) The certification will denote the appropriate CMMC level (currently there are five) and will be documented in the SPRS. The levels build on each other through cumulative requirements and reflect increasing levels of risk based on the sensitivity of the information that the contractor may handle. For example, the highest levels (4 and 5) focus on risks posed by Advanced Persistent Threats (APT), which are adversaries "that possess sophisticated levels of expertise and significant resources." A description of the CMMC model and the requirements for the individual levels can be found here.
Contractors that do not process, store, or transmit CUI must obtain a CMMC level 1 certification, whereas those that do must achieve a level 3 or higher, depending on the sensitivity of the information. The DoD's interim rule provides estimates of the cost of compliance at each level; a more detailed analysis is available here.
The DoD is gradually phasing in the CMMC requirements by including DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, in select solicitations. However, contractors should know that all DoD solicitations over the micro-purchase threshold (except procurements exclusively for commercial off-the-shelf (COTS) items) will include the CMMC requirements beginning on September 30, 2025. Until then, inclusion of a CMMC requirement in a solicitation during the phase-in period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. The DoD estimates that 129,810 unique entities will pursue their initial CMMC certification during the initial five-year phase-in period.
When the new DFARS clause applies, contractors must maintain a certain CMMC level for the duration of the contract, ensure their subcontractors have the same CMMC level prior to awarding a subcontract, and flow down the clause in all subcontracts not exclusively for COTS items. The rule also requires contracting officers to verify that the apparently successful offeror's or contractor's CMMC certification is current and meets the required level prior to making an award, exercising an option, or extending any period of performance.
While the CMMC requirements will not be fully implemented until 2025, in less than two months many important changes and impacts may be coming for defense contractors, including but not limited to the following:
- While the performance assessments – documented in the SPRS – by the federal government of certain contractors' compliance with NIST SP 800-171 will not be public, for obvious reasons, a poor review will hinder a contractor's ability to win critical DoD contracts. Furthermore, once contractors have been passed over for an award and as contractor employees matriculate through the contracting community, this key differentiating information may get out to what is a relatively small contracting community, thereby creating challenging barriers to entry and perhaps narrowing the defense industrial base.
- Again, under the CMMC program, third parties will be tasked with reviewing contractors' maturity. It is still unclear what this will look like specifically and what due process a contractor might have if a third-party assessor unfairly finds a contractor lacking the maturity to meet CMMC requirements. Given the impact a negative finding might have, one would expect defense contractors to vigorously defend their maturity rating, and while litigation may ensue with the federal government and/or the third parties making the assessment, negative information and/or findings will also likely make their way into the bid protest arena as contractors compete for these lucrative contracts.
- The interim rule requires prime contractors to verify that their subcontractors have assessments and CMMC certifications; however, because prime contractors will not have access to SPRS, they will need to determine appropriate means to verify their subcontractors are compliant.
- Costs! The interim rule estimates that the cost for a small entity to support a CMMC level 1 assessment or recertification is $2,999.56. For level 3, the estimated nonrecurring cost is $26,214 per assessment/recertification, and the estimated recurring annual cost is $41,666. For contracts requiring a level 5 certification, the rule estimates the nonrecurring cost will be $1,230,214 and the annual recurring cost will be $384,666.
- Given the costs outlined above, a potential consequence of the CMMC program is that it could make the cost of doing business too great for small and medium-size businesses. Providing comments now on how to shape the program to account for organizations with fewer resources may be integral for smaller and medium-size defense contractors to continue doing sensitive and critical defense work.
* * * * * * * * * *
As always, Venable attorneys and subject matter experts are available to assist contractors in interpreting and preparing for compliance with these new requirements.