This article is shared by author Eric Bragger
Significant changes are confirmed for DoD contracts per a new Interim Rule to DFARS Clause 252.204-7012 published on September 29, 2020 and going into effect November 30, 2020.
All DoD contractors must act as soon as possible to ensure they will continue to qualify for contracts, task orders, and delivery orders with this DFARS clause.
The term “interim” should not be interpreted to mean that this is a temporary change. As a legal construct, the term “Interim Rule” means that these changes became effective immediately upon publication. The Interim Rule introduces a mandatory scoring system for contractor compliance that requires immediate action. It also takes the wind out of the sails of the Cybersecurity Maturity Model Certification (CMMC) rollout, delaying the DoD-wide requirement to October 1, 2025.
While the Final Rule may incorporate changes based upon comments from industry, Congressional oversight, and Lessons Learned; make no mistake that the Interim Rule is absolutely going into effect on November 30, 2020 and it will enforce compliance to qualify for DoD contracts.
Take Action Now
There are several mandatory steps all DoD contractors should begin as soon as possible to continue qualifying for DoD contracts, task orders, or delivery orders that include DFARS Clause 252.204-7012 as of November 30, 2020.
1. Register on the Supplier Performance Risk System (SPRS).
2. Produce and maintain a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) for each system.
3. Produce and maintain policy, process, and system documentation / evidence of compliance.
4. Conduct a self-assessment in accordance with the NIST SP 800-171 “DoD Assessment Methodology” (110 controls).
5. Enter the self-assessment score into SPRS prior to award, option exercise, or extension of a contract, task order, or delivery order.
6. Remediate all open POA&M items to achieve a perfect score of 110 and update SPRS accordingly.
7. Ensure all sub-contractors also perform the above.
8. Repeat #4-7 no less than once every 3 years.
Prepare for the Future
In order to prepare for upcoming DoD requirements and defend against the ever-increasing risks and impacts of cyber attack, all DoD contractors should:
1. Achieve a 100% “Basic” self-assessment score in strict adherence to the NIST SP 800-171 “DoD Assessment Methodology” .
2. Remediate all known weaknesses as identified in the POA&M.
3. Conduct a formal Risk Assessment to understand the contract assets, business needs, and data being protected.
4. Conduct a self-assessment in accordance with “Level 1” CMMC assessment objectives and remediate findings.
5. Conduct a self-assessment in accordance with “Level 2” CMMC assessment objectives and remediate findings.
6. If processing CUI: Conduct a self-assessment in accordance with “Level 3” CMMC assessment objectives and remediate findings.
Mandatory NIST SP 800-171 Compliance
The Interim Rule further codifies the requirement that all DoD contracts, task orders, and delivery orders with Controlled Unclassified Information (CUI) include the DFARS Clause 252.204-7012 and requires compliance with the 110 controls specified in NIST Special Publication (SP) 800-171.
All contractors (and their subcontractors) will need to do the following for each system:
1. Perform a self-assessment (“Basic Assessment”) per the “DoD Assessment Methodology”.
2. Report their score to the Supplier Performance Risk System (SPRS).
3. Have a completed System Security Plan (SSP).
4. Have a Plan of Action and Milestones (POA&M).
5. Indicate when they expect a perfect score of 110 will be achieved, which requires the POA&M (“last plan of action”) to be “complete” (i.e. no open weaknesses).
There are three assessment types:
– “Basic Assessment”: Self-assessment performed by all contractors. Confidence level is considered “Low” because it is a self-generated score.
– “Medium Assessment”: Conducted by Government personnel. Confidence level is considered “Medium”. Review of the contractor’s Basic Assessment. Thorough documents review. Discussion with the contractor of additional information and clarification.
– “High Assessment”: Conducted by Government personnel in accordance with NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Confidence level is considered “High”. Review of the contractor’s Basic Assessment. Thorough document review. Validation of controls by verification, examination, and demonstration of the System Security Plan (SSP). Discussion with the contractor of additional information and clarification.
Assessment Type DoD-Estimated Respondents (Annually)
Total* 13,068* All respondents will first complete a Basic Assessment, even if selected for Medium / High.
New CMMC Timelines
You’ve probably seen all the press about the urgency of preparing for CMMC the past few months.
Prior to this Interim Rule, CMMC compliance and a CMMC Assessment were to become mandatory for all DoD contracts with Controlled Unclassified Information (CUI) or Federal Contractor Information (FCI) as of January 2021, with assessments commencing in July 2021.
That will now occur only for contracts pre-selected by the OUSD(A&S) in a five-year phased approach beginning in 2021, until a universal rollout on October 1, 2025.
|Year||Level 1||Level 2||Level 3||Level 4||Level 5||Total|
|1||Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.|
|2||Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.|
|3||Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.|
|4||Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.|
|5||Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes|
What is the Impact of Scoring?
Compliance scores in SPRS are expected to be used by DoD as either a formal or informal differentiator of suitability for contract award.
Unless forbidden by DoD, they will also undoubtedly be used by your competitors in marketing a competitive advantage. There is nothing in the Interim Rule regarding the publishing, sharing, dissemination, or advertising of scores.
The fundamental problem is that not all compliance scores are the same. “Medium” and “High” assessments are conducted by the government to a strict standard; however, “Basic” assessments are derived from self-attestation by the contractor on a pass/fail basis of 1 point per 110 controls.
Therefore, a contractor under pressure to maximize their compliance score is faced with decision-making on providing a strict, honest, and informed assessment of each control or risking increased vulnerability to cyber attack and allegations of misrepresentation / False Claims Act (FCA) violations.
This issue may be somewhat mitigated over time because DoD expects all contractors to eventually achieve a perfect score of 110, as evidenced by the Interim Rule requirement for the contractor to indicate in SPRS when they expect to achieve a perfect score. This requires the POA&M (“last plan of action”) to be “complete” (i.e. no open weaknesses).
Written by Eric Bragger
October 1, 2020