DoD (Finally) Issues Interim Rule Regarding CMMC
Last week, the DoD issued an interim rule that fundamentally changes the way contractors meet and report their cybersecurity readiness to the government. Widely anticipated, this rule embeds CMMC into contracts moving forward and adds key requirements to ensure the cybersecurity of our nation’s Defense Industrial Base (DIB).
What’s In The Rule Change?
The rule change adds three new clauses to DFARS; 7019, 7020, and 7021. However, a closer look shows that there is actually a lot more than just adding CMMC. Here’s the summary:
The first surprise is that DFARS 252.204-7012 doesn’t actually change. By reaffirming DFARS 252.204-7012 as is, the underlying requirements for FedRAMP Moderate, NIST 800-171 and clauses (c) through (g) will continue unchanged.
DFARS 252.204-7019 requires an assessment of NIST 800-171 in new contracts. This builds off the DCMA program of contractor audits so it appears this program will be the bridge as CMMC ramps up. There are three types of assessments, Basic, Medium, and High. Basic will be a self-assessment while Medium and High will be conducted by DCMA.
The results of an assessment (including self-assessments) need to be uploaded to the Supplier Performance Risk System (SPRS). This will be the central database that holds the scores of both the NIST assessments and the CMMC certifications. The results are more than just a score. The rule states that in addition to the score from the assessment a contractor must upload information regarding its SSP, and the expected date to complete all aspects of NIST 800-171.
DFARS 252.204-7020 requires contractors to provide access to “facilities, systems and personnel” in support of assessments. It also requires a flow down clause that “subcontractors have results of a current assessment in SPRS prior to contract award.” This ties everything in the supply chain together and ensures assessors can access systems for the purpose of an assessment. Its also important to note that this flow down applies to all subcontractors in the supply chain as opposed to the first level entity.
DFARS 252.204-7021 is the clause that focuses on CMMC. This clause requires CMMC to be part of contracts and implements it essentially unchanged based on what we have been seeing over the last several months. Among the features it includes:
- Five levels of classification;
- Builds upon existing FAR, DFARS clauses;
- If you hold CUI, then you will be at least Level 3 (NIST 800-171 plus 20 additional controls);
- Certified Third Party Audit Organizations (C3PAO) will audit and accredit compliance;
- Audit results will be stored in SPRS; and
- Audits are pass/fail – no POAMs.
What is the Timeline?
The interim rule goes into effect Nov. 30, 2020 but it will not be a “big bang” that changes everything overnight. Overall, there is a five-year rollout planned to ensure the industry can adjust to these requirements and get through the certification process.
Initially, solicitations will need the approval of the Office of Undersecretary of Defense for Acquisition and Sustainment to include CMMC. This gives that office control over the pace of how quickly this will propagate out into the system, as well as prioritize contracts that it feels are more important.
Who Goes First? What Contracts Will Get Prioritized?
We don’t really know at this point. I would expect the most sensitive contracts like missile defense and hypersonics will get prioritized, but at this point, I have not heard anything from the CMMC team.
CMMC is still very early and trying to get off the ground. There are over 200,000 companies that will need to eventually be certified and right now there are less than 100 auditors. Once those auditors get certified, then, somehow the early audits will need to get aligned to the early contracts…which is probably impossible. Further, there is still a tremendous amount unknown about how audits will be conducted. There will be a lot of conversations around what is and isn’t acceptable for individual controls.
That isn’t to criticize the program. They are doing amazing, vital work in an incredibly short amount of time. We’re just at a phase where this is going to be bumpy. There will be misfires. There will be course corrections. Be patient and let the process play out.
With that said, participate. If you have questions, comments, or suggestions, speak up! The rule notice has an address to submit comments and the CMMC team is all over the place in the market advocating for this process.
What Should Defense Contractors Do?
First, take this seriously. We talk to companies every day that are still in “wait and see” mode. As Yogi Berra said, “it’s getting late early,” and those that are waiting are going to get left behind.
Second, recognize that you already have contractual commitments in this area:
- Level 1 is based off FAR 52.204-21 which is in every federal contract
- Level 3 is aligned to DFARS 7012 plus those 20 additional controls
Start with your current requirements and get those in order. Next, follow the industry information, especially CMMC AB for updates. Be patient. There will be course corrections. Not everything will be gospel on day one. Lastly, recognize this is not a small effort. Even mature companies are taking months to get ready for Level 3.
What About Small and Mid-Market Contractors?
Look at your prime contractors. Start talking to them about their timelines and how they interpret these requirements. The 7020 clause codifies the flow-downs and we know primes are working to ensure their subs are getting in line. If your business is dependent on a prime, then their timelines and requirements are more important the governments.
We Can Help
Compliance is about people, process, and technology. We bring the technology. C3 Integrated Solutions has a 6-step approach built around the Microsoft Government Cloud that builds from the ground up a security approach that not just prepares you for an audit, but also ensures you are secured.
We start with consolidating your core communications and collaboration services on a compliant platform, usually Microsoft 365 GCC High. Think e-mail, document management, collaboration workspaces. Then we focus on access control and device security. After that we, transition to active threat hunting and monitoring which is fed into Azure Sentinel for your Security Incident and Event Management (SIEM). And that’s just the start.
Interested in hearing more? Stay tuned for our next post, or better yet contact us today.
Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.