The Department of Defense (DoD) has certainly been talking about the phased rollout of the Cybersecurity Maturity Model Certification (CMMC) for a while now. Unfortunately, all the talk has produced very little clarity about it — until now. In September 2020, the DoD published an interim rule and tried to address some of the outstanding questions. Below is a high-level overview only, designed to help contractors and subcontractors understand the general requirements.
Effective Nov. 30, 2020, the DoD will implement a standard DoD-wide methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. It will roll out a DoD certification process, known as the CMMC. CMMC is designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. Solicitations and contracts will begin incorporating new clauses that will require contractors to adhere to compliance requirements.
Effective Oct. 1, 2025, all DoD contractors and subcontractors will need to be CMMC compliant. By then, Fiscal Year 2026, all DoD solicitations and contracts will be required to incorporate at least minimal compliance requirements.
CMMC requirements are divided into two prongs: 1) assessment of compliance with the NIST SO 800-171, and 2) certification under CMMC. These are akin to 1) what contractors have to do now, and 2) what contractors will have to do later — but soon.
1) Tiers of System Assessments for Compliance
If, after Nov. 30, 2020, a solicitation calls for a contractor to have an assessment score to be eligible to receive the award, the contractor has to undergo one of the following assessments.
- Basic – self-assessment
- Contractors enter the score into the Supplier Performance Risk System (SPRS) database. Note that scores will take 30 days to post in the system.
- To score, the contractor starts with 110 points and subtracts the value assigned to any not-yet-implemented — pending or never-will-be-implemented — NIST categories. The remaining amount is the contractor’s score.
- Scores are valid for three years.
- Contractors must have a score to be “awardable.”
- Medium – government assessment
- Applies to contractors with sensitive government information and/or certain defense programs.
- DoD (DCMA) will assess the contractors’ System Security Plan (SSP).
- Contractors only have 14 days to challenge (appeal) the government’s assessment.
- High – government assessment
- Medium assessment+.
- Contractors must demonstrate their security systems to government assessors who will examine and verify the systems.
2) CMMC Certification and Levels 1-5
Moving beyond the assessments for system compliance, in the near term, defense contractors will need to have a level of certification under CMMC that corresponds with the type of information that it accesses, holds, stores, views, generates, etc. for performance on its federal awards.
The levels reflect that contractor’s system maturity to deal with a range of cyber threats associated with the type of DoD information the contractor has, and its ability to meet the corresponding practices and processes. For example, if a defense contractor has no Controlled Unclassified Information (CUI), then it only needs a Level 1. But if it does have CUI, then it needs to have at least a Level 3. Levels are cumulative, with Level 5 incorporating all the lower levels.
Solicitations, requests for information, and requests for proposals will carry a minimum CMMC level requirement. Contractors must meet that level or higher in order to be awardable. The government will rely on certified Third-Party Party Assessment Organizations (C3PAOs) which will certify the contractors’ level of maturity.
The DoD provides extensive detail about the levels here. As a general reference:
- Level 1: Basic safeguarding of Federal Contract Information (FCI).
- Level 2: Transition step to protect CUI.
- Level 3: Protecting CUI.
- Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs).
DFARS: Revised, New Clauses, and New Subpart
The Interim Rule revises the language in the existing clauses and subparts and adds several new components to the Defense Federal Acquisition Regulation Supplement (DFARS).
- DFARS Subpart 204.75—CMMC (new) will now detail the DoD policy for CMMC, the procedures for contracting officers to follow, and specify the solicitation provisions and contract clauses required in procurements.
- DFARS Subpart 212.3—Acquisition of Commercial Items (revised) will now reflect that commercial items are subject to CMMC, unless they are commercial-off-the-shelf (COTS) items.
- DFARS 217.207—Exercise of Options (revised) will now require contracting officers – before exercising an option – to verify that the contractor’s assessment is current in SPRS, and that the CMMC level meets or exceeds the requirements of the contract.
- DFARS 252.204-7019—(new) Notice of NIST SP 800–171 DoD Assessment Requirements. If a contractor is subject to CMMC, in order to be considered for an award, an offeror must have a current assessment that is less than three years old for each covered contractor information system relevant to the award.
- DFARS 252.204—(new) NIST SP 800–171 DoD Assessment Requirements. This clause requires a defense contractor to provide access to its facilities, systems, and personnel necessary for the government (here, Defense Contract Management Agency (DCMA)) to conduct a medium or high NIST SP 800–171 DoD Assessment.
- DFARS 252.204-7021—(new) Contractor compliance with the Cybersecurity Maturity Model Certification Level Requirement. This broader clause extends the CMMC level requirements to contractors and their subcontractors.
As with any new rule, there are still a number of questions that are not addressed. For example, it remains unclear how, if, or when foreign-owned defense contractors will permit DoD (DCMA) assessors to view security system components. The timeline for third-party assessors to be ready to begin examining/certifying contractors also remains a mystery.
Stay tuned as the DoD releases more information in the evolving area.