DoD Cybersecurity Updates – CMMC 2.0 Timelines and a Reminder on DFARS Compliance

Key Details: Earlier this year, the U.S. Department of Defense (DoD) released a memorandum (“The Memo”) regarding noncompliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”. Furthermore, as Ryan & Wetmore previously reported, implementation of CMMC 2.0 is on the horizon. DoD officials have been hinting at a ramp up of CMMC 2.0 requirements in the summer of 2023. As such, CMMC 2.0 requirements will begin to make appearances in DoD contracts this month and are expected to be incorporated into all DoD contracts by October 2025. Contractors are encouraged to start ensuring their security infrastructure and systems comply, as these timelines could impact future payments and award of contracts.

As noted above, the DoD appears to be increasing their focus on boosting cybersecurity initiatives for a more secure defense industrial base. Defense contractors may be required to perform a self-evaluation and update their current cybersecurity infrastructure to remain compliant. For further information and expertise, contact Ryan & Wetmore today.

CMMC 2.0 Timeline

CMMC 2.0 was launched by the DoD to safeguard sensitive national security information. CMMC 2.0 provides a comprehensive framework to protect the defense industrial base (DIB) from the increasing risk of cybersecurity attacks. CMMC 2.0 also aims to enhance the program through:

• Simplifying standards (lowering the original 5 levels of compliance to 3 and allowing self-assessments at the lowest requirement level).
• Clarifying cybersecurity regulations, policies, and contractor requirements.
• Focusing more advanced cybersecurity and assessment standards on contractors that support high priority programs.
• Increasing DoD oversight of professional and ethical standards during assessments.

The DoD hopes that these enhancements will increase contractor accountability in implementing cybersecurity standards while also minimizing compliance barriers and costs.

CMMC 2.0 Levels:

• Level 1
  • Applies to defense industrial base contractors who handle Federal Contract Information (FCI).
  • Includes a subset of NIST 800-171 cyber hygiene practices.
• Level 2
  • Applies to contractors who handle Controlled Unclassified Information (CUI) that is identified as Critical National Security Information. This requires third-party assessments.
  • Includes 110 controls of NIST 800-171.
• Level 3
  • This level is still under development; however, the DoD lists 110+ practices based on NIST 800-172.
  • Applies to sensitive and high-risk DoD contracts.

Contractors may begin seeing CMMC 2.0 requirements in DoD contracts this month. As CMMC 2.0 continues its journey through the federal rulemaking process and begins to be implemented into contracts, contractors are encouraged to fully review and understand the various tiers of requirements under this program.

The DoD Memorandum – How to Maintain Compliance with DFARS 252.204-7012

The Memo reminds contracting officers (COs) that noncompliance with DFARS clause 252.204-7012 may constitute as a breach of contract. This DFARS clause requires contractors to implement (at a minimum), the NIST SP-800-171 requirements on covered information systems. Furthermore, contractors who have not implemented each requirement must have a documented plan of action and milestones to implement the requirements to remain compliant.

Failure to Comply

Failure to make a progress plan to implement NIST SP 800-171 may be considered a material breach of contract terms. This breach may justify withholding progress payments by the government and foregoing remaining contract options. Furthermore, noncompliance may result in termination of the contract in part or in whole. As such, contractors are encouraged to fully examine their cybersecurity infrastructure to ensure they remain in compliance.

What do the NIST SP 800-171 Assessments Consist of?

The Memo provides that under DFARS clause 252.204-7020, the DOD can determine which level of the NIST SP- 800-171 DoD Assessment to conduct. A “High Assessment” consists of:

1. A review of the contractor’s Basic Assessment
2. A thorough document review
3. Verification, examination, and demonstration of a contractor’s system security plan to validate NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan
4. Discussions to obtain additional information or clarification as needed.

The “Medium Assessment” consists of items 1, 2, and 4, above. These assessments are typically conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cyber Assessment Center (DIBCAC) for contracts that are administered by the DCMA, or by the DoD program office or requiring activity.

Restrictions to be Aware of

Under the Memo, contracting officers are reminded that they cannot unilaterally levy a requirement for the NIST SP 800-171 assessments. This applies to contracts that do not include the DFARS clause 252.204-7012. However, contracting officers may negotiate bilateral modifications to incorporate the DFARS clause.

Contractors are encouraged to review their contracts for DFARS clause 252.204-7012 to implement NIST SP 800-171 on a covered contractor information system. Summary level scores for the current DoD Assessment for that system must be posted in SPRS (Supplier Performance Risk System). The SPRS retrieves performance information assessments for the DoD for use in identifying and monitoring unclassified performance and for meeting acquisition regulatory and policy requirements.

Additionally, contractors should look out for a newly released draft version of Revision 3 for NIST SP 800-171 that provides the foundational framework for the protection of controlled unclassified information. These changes may impact and require businesses to reconsider their cybersecurity and information protection programs and systems.

Conclusion and Action Plan

Both the DoD Memo and CMMC 2.0 add a layer of complexity to cybersecurity compliance for the DIB. Contractors should aim to perform the following tasks prior to contract review to ensure their internal systems are in order:

1. Get started today! Perform a self-assessment and evaluate your current cybersecurity infrastructure. Are there significant internal controls in place to safeguard sensitive information?
2. Identify gaps in defenses and invest in capabilities. This can include investing in employee training or service providers.
3. Understand and provide training on the most common types of cybersecurity threats such as phishing attempts, malware, viruses, ransomware, and spyware.
4. Ensure your networks are secure and that you have updated antivirus software.
5. Monitor any cloud service provider accounts and enable multi-factor authentication.
6. Understand your company’s capture strategy and pipeline of future contracts. Identifying the requirements in the future will enable your company to prepare ahead of time.
7. Establish written policies and procedures and ensure integration with current technology. Ensure employees understand the policies and procedures.

After completing the steps outlined above, contractors are encouraged to perform the following:

1. Review your contracts to determine whether the DFARS clause 252.204-7020 is applicable. For contracts that do include this clause, ensure self-assessments are accurate.
2. Monitor compliance with NIST SP 800-171, identify areas that need extra attention and create plans of actions and milestones to remain in full compliance.
3. Review and understand the requirements under CMMC 2.0 and prepare your systems for assessment.
4. Designate an internal employee to be the CMMC liaison. This should be integrated with business development and IT groups.
5. Meet with your law firm to review and discuss current and future contracts that have cybersecurity requirements. Contractors should also discuss with their lawyers whether the entire company is required to be in compliance with CMMC requirements, or if departmental compliance is satisfactory.
6. Go through a security assessment with a firm or industry expert to identify the security gaps and infrastructure required for compliance.

Completing the above items will enable contractors to discover any holes in their security infrastructure and remediate as needed. It is important to note that there may be additional items and requirements that apply to varying contractors. Contractors are encouraged to monitor any changes to the requirements discussed above. As such, understanding and staying up to date on the various requirements as well as performing self-evaluations will be key. For more information, contact Ryan & Wetmore today.

Today’s Thought Leaders

About Peter Ryan
Partner, Co-founder, & CPA

Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.

Read Pete’s full bio.

About Jason Dudas
Director & CPA

Jason is a Senior Manager in our Vienna, VA office. Since joining the firm in 2009, he has worked closely with clients on tax, audit and accounting issues. Jason has become an expert in construction accounting and is a member of the Real Estate and Construction CPA’s. He also has experience with research and development credits, and tangible property regulations.

About Rosie Cheng
Finance Consultant

Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.