New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements

Robyn N. Burrows and Michael J. Montalbano

On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.

NIST Self-Assessment Requirements

The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date.

The self-assessment methodology can be found here, but to summarize, the contractor must conduct a self-assessment for each information system that is used to manage covered defense information to determine whether each system complies with the NIST Requirements. The highest score an information system can receive is 110 points, which means the system fully complies with the NIST Requirements. If the information system receives a score below 110 points, the contractor must prepare a “plan of action” that describes how and when the contractor will implement the outstanding NIST Requirements.

It is important to note that the new rule does not require complete compliance with the NIST Requirements. As long as the contractor has a self-assessment score listed on SPRS, plans of action for any unimplemented NIST Requirements, and a date for when the contractor will be in full compliance with the NIST Requirements, the contractor will remain eligible for new contracts or to perform options under existing contracts.

CMMC Framework

The second part of the new rule introduces the requirements for the long-awaited CMMC framework. We discussed in an earlier post the details and timing of the CMMC process. The new rule confirms that over the next five years, DoD contractors will require certification prior to the award of certain contracts designated by the Undersecretary of Defense for Acquisition and Sustainment. The number of contracts that require certification will initially be small, and then gradually increase over the next five years. Starting October 1, 2025, all DoD contracts (except contracts exclusively for commercially available off-the-shelf items) will contain a CMMC requirement.

DoD contracts with a CMMC requirement will require that contractors be certified at one of five CMMC levels. To be certified at CMMC level one, the contractor will have to demonstrate that it has in place basic cyber hygiene practices consistent with FAR 52.204-21. CMMC level two requires contractors to comply with FAR 52.204-21, 65 of the 110 NIST Requirements, seven CMMC practices, and two CMMC processes. CMMC level three is for contractors that will be expected to manage or have access to controlled unclassified information (“CUI”). This certification level requires complete compliance with the NIST Requirements, 20 CMMC practices, and three CMMC processes. DoD estimates that the overwhelming majority of new contracts will require a CMMC level of one or three, which means contractors can assess what CMMC level they need by determining whether their work involves CUI.

CMMC levels four and five are reserved for contracts that are expected to be subject to advanced persistent threats (i.e., subject to an adversary that possesses sophisticated levels of expertise and significant resources). Contractors with a level four CMMC must comply with all NIST Requirements, 46 CMMC practices, and four CMMC processes. A level five certification will require compliance with all NIST Requirements, 61 CMMC practices, and five CMMC processes.

Conclusion

DoD’s new rule requires both short- and long-term planning. In the short term, contractors must conduct a self-assessment of its compliance with the NIST Requirements, and submit that self-assessment to SPRS by October 30, 2020. This will give DoD at least 30 days to post the self-assessment scores to SPRS ahead of the November 30, 2020 deadline. Taking these steps will ensure that contractors remain eligible for new DoD contracts and options for existing DoD contracts.

In the long term, contractors must engage CMMC professionals to determine the appropriate CMMC level for their businesses. They must then go through the certification process by hiring a certified third-party auditor to conduct the CMMC audit for the requested level. By beginning this process now, contractors can ensure that they have the requisite certifications as DoD begins rolling out more contracts with the CMMC requirement.