Home » Insights » Updated Rules: CMMC & NIST SP 800-171 -

Updated Rules: CMMC & NIST SP 800-171 -

22 October, 2020
Updated Rules: CMMC & NIST SP 800-171 -

DoD’s Updated Cybersecurity Rules Can Block Your Next Government Contract Award or Renewal 

Aware of the instability of self-certification under DFARS 252.204-7012 and the need for a more formal program to assess federal contractor implementation of the NIST SP 800-171 requirements, the Department of Defense (DoD) published an interim rule on September 29, 2020 regarding the implementation of the Cybersecurity Maturity Model Certification (CMMC).

This rule calls for immediate cybersecurity self-assessment from DoD contractors and describes expectations for full CMMC implementation over the next five years.

Failure to acknowledge and plan for the immediate and future requirements of the interim CMMC rule may result in lost business and contracting opportunities. 

What are the Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171 DoD Assessment Requirements? 

The DoD’s Cybersecurity Maturity Model Certification (CMMC) is a combination of standards and processes that builds upon NIST SP 800-171. NIST SP 800-171 is a codification of the requirements that any non-Federal computer system must follow to store, process, or transmit Controlled Unclassified Information (CUI).  

The CMMC combines existing cybersecurity FAR / DFARS clauses, NIST SP 800-171 requirements, CMMC practices, and CMMC processes into a five-tier certification program   The DoD describes CMMC as a “comprehensive and scalable” certification framework. Additionally, CMMC certifications will be conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs). 

The NIST SP 800-171 DoD Assessment Requirements (see new DFARS clauses 252.204-7019 and 252.204-7020) are a bridge between the current DFARS cybersecurity clause 252.204-7012 and full CMMC contract implementation. The newly released interim rule instructs contractors to perform and submit “Basic” self-assessments through the Supplier Performance Risk Systems (SPRS). It also requires contractors to allow DoD access to conduct “Medium” and “High” level assessments as deemed necessary. 

Which Federal Contractors Need to Take Immediate Action Under DoD’s New Assessment Requirements? 

The new DFARS provision 252.204-7019 advises offerors to implement the NIST SP 800-171 standards (including contractors with DFARS clause 252.204-7012) to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award.  

The provision requires offerors to ensure the results of any applicable current assessments are posted in the Supplier Performance Risk System (SPRS) and provides offerors with additional information on conducting and submitting an Assessment when a current one is not posted in SPRS. 

DFARS 252.204-7019 offers a “Basic” assessment level that can be completed and submitted as a contractor self-assessment.

As of November 30, 2020, in order to be considered for awards, renewals, options, task orders, or other actions, contractors will need to have a current assessment for each covered contractor information system that is relevant to the offer posted to the Supplier Performance Risk System (SPRS). 

In simpler terms, all DoD or potential DoD contractors (and subcontractors) need to review the interim rule and assessment clause as soon as possible and take any required actions to prevent interruptions or denials of awards.  

According to the interim rule and clause, it may take up to 30 days for scores to post to SPRS, so it is imperative that affected contractors provide self-assessments as soon as possible in advance of the November 30, 2020 date. 

Additionally, DFARS provision 252.204-7019 flows down to subcontracts from prime contractors instructed not to award a subcontract or other contractual instrument subject to DFARS clause 252.204-7012, unless the subcontractor has completed at least the Basic NIST SP 800-171 DoD Assessment. Subcontractors can conduct and submit the Basic Assessment for posting to SPRS.

What About Longer-term Decision Making For CMMC Implementation? 

The CMMC will apply to all DoD solicitations and contracts starting on or after October 1, 2025. In the meantime, DoD will selectively include the clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements in solicitations as part of a phased rollout.  

Contractors continuing or seeking to perform work with the DoD will need to determine the appropriate CMMC level to certify and maintain. Not meeting the CMMC level requirement upon solicitation release may limit a contractor’s ability to bid or receive an award. Given CMMC certifications will be conducted by C3PAOs, advanced planning is required to secure certification prior to solicitation release. 

Below is a brief description of CMMC level requirements: 

Based on descriptions published within the interim rule, Level 2 is intended as an optional, immediate step between Level 1 and Level 3. Levels 4 and 5 are meant to promote security standards when contractors may face advanced threats. Hence, it can be expected that many contractors will be targeting certification at Level 1 or Level 3. 

Also, note that Level 1 references FAR clause 52.204-21. While CMMC is a DoD program, this FAR cybersecurity clause is generally incorporated across agency contracts, so it is not outlandish to speculate that non-DoD contractors may become subject to a program like CMMC in the future. 

In summary, contractors, whether DoD or non-DoD, should assess their business’s current cybersecurity implementation, take stock of existing contract cybersecurity compliance, and begin planning for the CMMC rule and certification levels based on anticipated future federal contracting activity. 

Summary & Next Steps with Regards to DoD’s Interim CMMC Rule 

With the essential framework of CMMC, the new DFARS clauses, and DoD assessment methodology all well defined in the interim rule’s publication, all federal contractors should conduct a serious, methodical review of cybersecurity implementation and federal contract compliance. DoD contractors who are subject to DFARS cybersecurity clause 252.204-7012 need to give extra attention to the rule and begin immediate implementation and planning. 

Additionally, DoD contractors need to quickly identify if they are subject to the NIST 800-171 DoD Assessment Requirements and make plans to submit the company’s system self-certification to SPRS for posting by November 30, 2020 or as soon as practicably possible. Prime contractors will want to notify subcontractors of the assessment requirement and flow down the requirement as applicable. 

DoD and all other federal agency contractors should review the interim CMMC rule and determine their specific business approach to certification level and third-party certification engagement. 

Failure to acknowledge and plan for the immediate and future requirements of the interim CMMC rule may result in lost business and contracting opportunities. 

If you have questions regarding the near and long-term business impacts of DoD’s Cybersecurity Maturity Model Certification to federal contractors, please contact Government Contracting Specialist and Senior Finance Consultant, Zach Ficklin at Ryan & Wetmore, P.C.