On September 29, 2020, the Department of Defense (DoD) released the long-awaited “interim rule”, that many in the industry have hoped would provide clear guidance on DoD’s implementation of the Cybersecurity Maturity Model Certification (CMMC) framework. Most of the new interim rule, however, is focused on ensuring that contractors are currently compliant with the 110 controls that were previously outlined in NIST SP 800-171. The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that the industry has regarding implementation of the CMMC program. For some DoD contractors trying to maintain compliance, it seems that the interim rule has created more confusion and spawned even more questions. We’d like to try to answer some of the common questions that are arising.
Why Create an Interim Rule so Close to the CMMC Roll-Out Date?
The DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) for several years. The Council of Economic Advisors estimated that malicious cyber attacks cost the U.S. economy between $57 billion and $109 billion in 2016 alone, so it was apparent that something needed to be done to better protect our information. The interim rule is one of multiple efforts being made by the DoD to not only better protect the DIB, but to also secure the entire Defense Supply Chain (DSC) by building on the existing FAR and DFARS clauses’ requirements. Recent high-profile data breaches along with growing security concerns have now led the DoD to go beyond self-attestation and move towards an auditable verification system in order to better protect sensitive government information.
What Does the Interim Rule Mean for My Organization?
If you are doing business with the DoD, the interim rule applies to you and requires action from your organization by November 30th, 2020. The interim rule adds two clauses that essentially build upon NIST SP 800-171:
- DFARS provision 252.204–7019 is a solicitation clause which requires contractors to have a current (not older than three years) assessment of their organization’s cybersecurity efficacy on record in a Government database called the Supplier Performance Risk System (SPRS). This clause is required in all DoD solicitations, except for those solely for the acquisition of commercially available off-the-shelf (COTS) products or services.
- DFARS clause 252.204–7020 designates the NIST 800-171 DoD Assessment Methodology (“Assessment Methodology”) that contractors need to use when conducting Basic Assessments. This methodology was first introduced in a November 2019 Memorandum from the Under Secretary of Defense for Acquisition and Sustainment, and a version of this has been used by the Defense Contract Management Agency when auditing individual contractors. This methodology essentially gives you a scorecard to use in order to get a clear picture of where your organization stands in terms of compliance with the NIST SP 800-171’s 110 controls. Scores will be out of 110 and for each control not implemented, you will need to subtract the given number of points outlined in the scorecard. Each of the controls are weighted based on importance, so it is important to note that it is possible that some organizations will end up with negative scores as they count off for each control they haven’t implemented. This clause is required in all solicitations and contracts, except for those solely for the acquisition of COTS products or services. This clause also emphasizes that contractors must allow the government access to their facilities, systems, and personnel if they are determined to need an assessment above the “Basic” level.
Basically, what these clauses mean for your organization is that you have to assess your business using the Assessment Methodology and you will have to record the results of that assessment in SPRS by November 30th, 2020. Assessments may be conducted at one of three levels: 1) Basic, 2) Medium, and 3) High. The Basic Assessments are what will be required in new contract actions, including option exercises, starting on November 30th. After a contract is awarded, the DoD may choose to conduct a Medium or High Assessment of a contractor based on the criticality of the program or the sensitivity of the information being handled by the contractor. As of yet, there is no guidance on how that decision will be made or how long after award the DoD can decide to conduct the assessment. The assessment levels are defined in the interim rule as follows:
- Basic: This is a self-assessment done by contractors using the DoD Assessment Methodology. A company that has fully implemented all 110 controls outlined in NIST SP 800–171 would receive a score of 110 to record in SPRS for its Basic Assessment. If a company hasn’t implemented all 110 controls, then they would use the scoring outlined in the Methodology to assign values to each unimplemented control and subtract that score from 110. Requirements are weighted differently based on their impact on the contractor’s information system, and there will be no partial credit for partially implemented controls except for multifactor authentication and FIPS-validated encryption. Within 30 days of completing the assessment, contractors must post their score and the date by which they will achieve full compliance in SPRS. The Basic Assessment results in a confidence level of “Low” because it is a self-generated score.
- Medium: This is an assessment conducted by the Government that includes a review of the contractor’s Basic Assessment, a thorough document review, and discussions with the contractor to obtain additional information as needed. Contractors must provide the Government access to their facility, systems, and personnel as needed to complete the assessment. This assessment results in a confidence level of “Medium” in the resulting score.
- High: This assessment encompasses everything in the Medium Assessment and includes the verification, examination, and demonstration of the contractor’s system security plan to validate that the NIST SP 800-171 security requirements have been implemented as described in their plan. Assessment results in a confidence level of “High” in the resulting score.
Does the Interim Rule Affect CMMC?
In addition to the two clauses outlined above, the interim rule also includes the DFARS 252.204-7021 clause. This clause emphasizes that, separate from the Assessment Methodology, CMMC will require contractors to receive a certification to verify that they have implemented the outlined cybersecurity processes and practices, and that they are equipped to protect the information that they will be handling should they win the contracts that they’re pursuing. The new interim rule also contains a new DFARS subpart, Subpart 204.75, to specify the policy and procedures for awarding a contract or exercising an option on a contract.
It is important to note that the interim rule is an addition to CMMC. Even once CMMC is rolled out, contractors will still have to comply with BOTH the CMMC and the existing DFARS requirements (including the interim rule). This is important because there’s a common misconception that a company can register their self-assessment is SPRS and have it take the place of their CMMC assessment. This is not possible. The interim rule is a supplement to and not a replacement for CMMC. CMMC is still on track to start rolling out this fall, with all new solicitations containing CMMC requirements by October 2025 (except for COTS solicitations). The interim rule also reiterates that CMMC requirements must be flowed down to subcontractors at all tiers based on the sensitivity of the unclassified information each subcontractor will have access to. For the most up to date information about the CMMC framework, visit the official CMMC web page.
How to Become Compliant with the Interim Rule
The first step towards achieving compliance is to get a clear picture of where your organization currently stands in terms of adherence to the 110 security controls from NIST SP 800-171. You can do this internally using the Assessment Methodology, or you can hire someone to conduct a pre-assessment readiness review to help identify any gaps in your current cybersecurity policies and procedures. Mission Multiplier is proud to offer these services. We can help your organization with identifying these gaps as well as with remediating them. Either way, it is extremely important that you ensure your score for SPRS is accurate. It not only is a requirement of the interim rule, it can also help you establish a plan going forward for achieving compliance with CMMC. Being honest with yourself and the DoD about your current cybersecurity resiliency is also important because if the government decides to conduct an assessment at a level above “Basic” and determines that your self-assessment was inaccurate, you could be found to be in violation of The False Claims Act, which could result in hefty fines and other serious consequences.
The next step in achieving compliance is to create a plan to remediate any gaps that you may find. As stated above, one of the requirements of the interim rule is that when you upload your score into SPRS, you have to also include the date by which you will be 100% compliant. It is important to be realistic in your planning and it’s essential to factor budget and resources into your estimate so you can provide an achievable deadline.
The final step towards compliance is to remediate any shortcomings that are found during your self-assessment or third-party pre-assessment readiness review by the target date you reported. These gaps could be a result of inadequate policies or procedures, or they could be due to insufficient documentation for proving that your organization is actually meeting the controls. Should your organization need help remediating these issues, Mission Multiplier can help you get on the right track towards compliance with our full spectrum of cybersecurity solutions.
Whether you plan to do a self-assessment or hire a company to help assess your organization for you, your time is limited, so it’s important to start now. If you or your organization has any questions about the interim rule, CMMC, or any other compliance related questions, please reach out to us to see how we can help!