As the Department of Defense (DoD) transitions into the Cybersecurity Maturity Model Certification (CMMC), it has created a set of cybersecurity reporting and assessment requirements to bridge the gap between the CMMC and the cybersecurity requirements set out at DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting). These cybersecurity reporting requirements, set out at DFARS 252.204-7019 and DFARS 252.204-7020, break the reporting and assessment process into two parts. The first part requires a contactor to certify what cybersecurity measures they have taken. The second part requires the contractor to certify the trustworthiness or confidence of that cybersecurity assessment. See, DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements); DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements).
Part 1 – Cybersecurity Assessment Contents
The first element of the DoD Cybersecurity Assessment involves assessing the contractor’s actual compliance with the standards set out at NIST SP 800-171. The submission will be emailed or uploaded to the Supplier Performance Risk System (SPRS). DFARS 252.204-7020(d)(2). The email or upload will contain the following:
- The version of NIST SP 800-171 the contractor is assessing against,
- the organization conducting the assessment,
- the CAGE codes of the entities covered by the assessment,
- a summary of the security plan being assessed,
- the date the assessment was completed,
- summary level of the score, and
- the date at which the entity plans to meet all standards set forth in NIST SP 800-171.
DFARS 252.204-7020(d)(1)(i).
Most of these requirements are self-explanatory, but it should be noted that the summary level of the score is described as the number of standards met over the number of standards set out in that version of NIST SP 800-171. DFARS 252.204-7020(d)(1)(i). For example, if an entity has met 95 of the standards, and the assessed version of NIST SP 800-171 has 110 standards, then the summary would state that the entity has met 95 out of 110 standards. DFARS 252.204-7020(d)(1)(i)(E). Note however, that the summary does not require the entity to detail the degree to which they have met that standard. Id. It merely asks the entity whether they have met the standard. Id.
Part 2 – Cybersecurity Assessment Levels
The second element detailed asks who is doing the assessing, and how they are doing that assessment. This is important to the second element of the assessment. Each assessment is given a rating based on its trustworthiness. The three assessments are “Basic Assessment,” “Medium Assessment,” and “High Assessment.” Each rating is associated with a confidence rating – “basic,” “medium,” and “high” respectively. It is worth reiterating that this is not a rating of how secure an entity is, nor is it a rating of how secure a system the contractor uses. It is a rating detailing who and how the assessment was conducted – it’s a trustworthiness or confidence rating. The basic assessment is a low confidence assessment, and the high assessment is a high confidence assessment.
Basic Assessment
The basic assessment is performed by the contractor itself. DFARS 252.204-7020(a). This assessment will require the contractor to review their own system security plan. Id. The contractor will assess how well it complies with its own security plan’s requirements, and how well that security plan meets the standards set forth in NIST SP 800-171. Id. Since this score is a self-assessment, it receives a confidence score of “low.” DFARS 252.204-7020(a). Id.
Medium Assessment
The medium assessment is a step-up from the basic assessment, and builds upon that basic assessment. Id. This assessment is performed by the government, and is a review of the contractor’s basic assessment detailed above. Id. The government will review the contractor’s basic assessment and the documents they used to produce that assessment. Id. Then the government will ask the contractor any questions they need answered in order to properly assess the contractor’s system security plan. Id. This review results a confidence score of “medium.” Id.
High Assessment
This assessment is also performed by the government. The high assessment builds on the contractor’s basic assessment, and includes all of the review elements included in the government’s medium assessment. Id. In addition to those medium assessment requirements, the government is reviewing the contractor’s system security plan in accordance with the review standards set out at NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Id. The review standards set out at NIST SP 800-171A are more advanced, and as such, the government is assessing which of these more advanced standards the contractor has met. This review results in a confidence score of “high.” Id.
The contractor has 14 days after the government has finished a medium assessment or a high to rebut the summary score the government has provided. DFARS 252.204-7020(e).
Subcontractors
Prime contractors hiring subcontractors to work on contracts with the requirements set out by the cybersecurity assessment clauses must flow down these contract clauses – i.e., they should ensure that a subcontractor has completed a basic assessment and complies with the standards required by their contractor. DFARS 252.204-7020(g). Subcontractors should submit basic assessments through the same portal as prime contractors. Id.
Using the Assessments
These assessments are used alongside the cybersecurity requirements detailed at DFARS 252.204-7012. Solicitations including DFARS 252.204-7012 ask contractors to meet the basic requirements set out at NIST SP 800-171 (requiring contractors to meet the 110 standards on contracts including the clause). This clause is included in contracts that will include controlled unclassified information[1]. These solicitations will require contractors to meet the NIST SP 800-171 standards at a certain confidence level, which should be spelled out in the solicitation. See generally, DFARS 252.204-7012. Contactors should have an assessment in SPRS at the correct confidence level to be awarded the contract.
Review of NIST SP 800-171
NIST SP 800-171 is a set of 110 cybersecurity standards intended to ensure the protection of controlled unclassified information during performance of a DoD contract. The broad families of standards are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
No system is unbreachable, but meeting these standards means contractors will have a lower likelihood of being breached, are more likely to know when they have been breached, and will know what information was compromised following a breach.
The Future of Cybersecurity in Government Contracting
Cybersecurity is becoming ever more important in government contracting. These requirements represent a bridge between the earlier DFARS 252.204-7012 requirements, which asked contractors to self-certify that they met the standards set out at NIST SP 800-171, and the even deeper requirements represented by the CMMC.
The recently DoD proposed a timetable for CMMC compliance. They expect the final version of the CMMC to be release in early 2025. Once that final rule is released, it begins a 4-phase process. The early phases will require self-assessment, but the later phases will requirement cybersecurity certification by outside cybersecurity assessors. By the end of the three and a half years, the CMMC’s requirements will have full-effect in DoD procurements subject to DFARS 252.205-7021.
Phase 1 – On the Effective Date of the CMMC/Revised DFARS 252.204-7021
Phase 1 will come online the on the CMMC’s effective date. During this first phase of CMMC rollout, the government will begin putting CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment in its contracts. DoD is given the option to include the requirements in the exercise of options, and may, at its discretion, require CMMC Level 2 Certification Assessment on new procurements.
Phase 2 – Six Months After the Start of Phase 1
Six months after phase 1, phase 2 of the CMMC rollout will begin. In addition to the requirements of phase 1, phase 2 will have DoD requiring CMMC Level 2 Certification Assessments in all appropriate solicitations. Additionally, at its discretion, it may begin to include CMMC Level 3 Certification Assessments in new procurements.
Phase 3 – One Year After the Start of Phase 2
One year after the start of phase 2, phase 3 will begin. During this phase, DoD will require CMMC Level 2 Certification Assessments in all relevant solicitations and for options exercised after the start of phase 3, even on procurements that started prior to phase 3. Additionally, it will require CMMC Level 3 Certification Assessment for contracts, and option exercises on contracts that warrant that degree of security. However, retains the right waive the CMMC Level 3 Certification Assessment requirement for contact award, postponing that requirement until awarding an option.
Phase 4 – One Year After the Start of Phase 3
This is the final phase of CMMC, where the CMMC is in full effect. The full requirements of the CMMC will be applied to each DoD procurement, as appropriate.
————————————————————————————–
[1] Controlled Unclassified Information (CUI) is unclassified information the government has created that is not allowed to be released to the public. It includes information on certain national security topics, procurement sensitive information, and personally identifiable information. The DoD cybersecurity assessment system detailed at DFARS 252.204-7019 and DFARS 252.204-7020 is primarily concerned with protecting this controlled unclassified information.
————————————————————————————–
Learn more about Cybersecurity by joining one of PCI’s Cybersecurity in Government Contracts Trainings! Or join the One Stop Subscription 2025, and get access to an enormous amount of training.