Last week, the DoD issued an interim rule that fundamentally changes the way contractors meet and report their cybersecurity readiness to the government. Widely anticipated, this rule embeds CMMC into contracts moving forward and adds key requirements to ensure the cybersecurity of our nation’s Defense Industrial Base (DIB).
The rule change adds three new clauses to DFARS; 7019, 7020, and 7021. However, a closer look shows that there is actually a lot more than just adding CMMC. Here’s the summary:
The first surprise is that DFARS 252.204-7012 doesn’t actually change. By reaffirming DFARS 252.204-7012 as is, the underlying requirements for FedRAMP Moderate, NIST 800-171 and clauses (c) through (g) will continue unchanged.
DFARS 252.204-7019 requires an assessment of NIST 800-171 in new contracts. This builds off the DCMA program of contractor audits so it appears this program will be the bridge as CMMC ramps up. There are three types of assessments, Basic, Medium, and High. Basic will be a self-assessment while Medium and High will be conducted by DCMA.
The results of an assessment (including self-assessments) need to be uploaded to the Supplier Performance Risk System (SPRS). This will be the central database that holds the scores of both the NIST assessments and the CMMC certifications. The results are more than just a score. The rule states that in addition to the score from the assessment a contractor must upload information regarding its SSP, and the expected date to complete all aspects of NIST 800-171.
DFARS 252.204-7020 requires contractors to provide access to “facilities, systems and personnel” in support of assessments. It also requires a flow down clause that “subcontractors have results of a current assessment in SPRS prior to contract award.” This ties everything in the supply chain together and ensures assessors can access systems for the purpose of an assessment. Its also important to note that this flow down applies to all subcontractors in the supply chain as opposed to the first level entity.
DFARS 252.204-7021 is the clause that focuses on CMMC. This clause requires CMMC to be part of contracts and implements it essentially unchanged based on what we have been seeing over the last several months. Among the features it includes:
The interim rule goes into effect Nov. 30, 2020 but it will not be a “big bang” that changes everything overnight. Overall, there is a five-year rollout planned to ensure the industry can adjust to these requirements and get through the certification process.
Initially, solicitations will need the approval of the Office of Undersecretary of Defense for Acquisition and Sustainment to include CMMC. This gives that office control over the pace of how quickly this will propagate out into the system, as well as prioritize contracts that it feels are more important.
We don’t really know at this point. I would expect the most sensitive contracts like missile defense and hypersonics will get prioritized, but at this point, I have not heard anything from the CMMC team.
CMMC is still very early and trying to get off the ground. There are over 200,000 companies that will need to eventually be certified and right now there are less than 100 auditors. Once those auditors get certified, then, somehow the early audits will need to get aligned to the early contracts…which is probably impossible. Further, there is still a tremendous amount unknown about how audits will be conducted. There will be a lot of conversations around what is and isn’t acceptable for individual controls.
That isn’t to criticize the program. They are doing amazing, vital work in an incredibly short amount of time. We’re just at a phase where this is going to be bumpy. There will be misfires. There will be course corrections. Be patient and let the process play out.
With that said, participate. If you have questions, comments, or suggestions, speak up! The rule notice has an address to submit comments and the CMMC team is all over the place in the market advocating for this process.
First, take this seriously. We talk to companies every day that are still in “wait and see” mode. As Yogi Berra said, “it’s getting late early,” and those that are waiting are going to get left behind.
Second, recognize that you already have contractual commitments in this area:
Look at your prime contractors. Start talking to them about their timelines and how they interpret these requirements. The 7020 clause codifies the flow-downs and we know primes are working to ensure their subs are getting in line. If your business is dependent on a prime, then their timelines and requirements are more important the governments.
Compliance is about people, process, and technology. We bring the technology. C3 Integrated Solutions has a 6-step approach built around the Microsoft Government Cloud that builds from the ground up a security approach that not just prepares you for an audit, but also ensures you are secured.
We start with consolidating your core communications and collaboration services on a compliant platform, usually Microsoft 365 GCC High. Think e-mail, document management, collaboration workspaces. Then we focus on access control and device security. After that we, transition to active threat hunting and monitoring which is fed into Azure Sentinel for your Security Incident and Event Management (SIEM). And that’s just the start.
Interested in hearing more? Stay tuned for our next post, or better yet contact us today.