As the Department of Defense (DoD) transitions into the Cybersecurity Maturity Model Certification (CMMC), it has created a set of cybersecurity reporting and assessment requirements to bridge the gap between the CMMC and the cybersecurity requirements set out at DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting). These cybersecurity reporting requirements, set out at DFARS 252.204-7019 and DFARS 252.204-7020, break the reporting and assessment process into two parts. The first part requires a contactor to certify what cybersecurity measures they have taken. The second part requires the contractor to certify the trustworthiness or confidence of that cybersecurity assessment. See, DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements); DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements).
Part 1 – Cybersecurity Assessment Contents
The first element of the DoD Cybersecurity Assessment involves assessing the contractor’s actual compliance with the standards set out at NIST SP 800-171. The submission will be emailed or uploaded to the Supplier Performance Risk System (SPRS). DFARS 252.204-7020(d)(2). The email or upload will contain the following:
- The version of NIST SP 800-171 the contractor is assessing against,
- the organization conducting the assessment,
- the CAGE codes of the entities covered by the assessment,
- a summary of the security plan being assessed,
- the date the assessment was completed,
- summary level of the score, and
- the date at which the entity plans to meet all standards set forth in NIST SP 800-171. DFARS 252.204-7020(d)(1)(i).
Most of these requirements are self-explanatory, but it should be noted that the process for producing the score asked for in element 6 is described in the NIST SP 800-171 DoD Assessment Methodology. DFARS 252.204-7020(d)(1)(i). The maximum score is 110 – hypothetically one point for each standard met, but the scoring is more complex than simply awarding a point for each standard. Id.
Quick Summary of the NIST SP 800-171 DoD Assessment Methodology
The goal of the NIST SP 800-171 DoD Assessment Methodology (Assessment Methodology) is to score the security of a contractor’s system. NIST SP 800-171 Assessment Methodology Version 1.2.1, (5)(a). This is reflected in the scoring methodology – often relatively small changes can dramatically improve a contractor’s score.
Rather than awarding a point for each standard, the scoring methodology starts at 110 points, and deducts one or more points for each standard not implemented. The more important to an effective cybersecurity system the missed standard is, the greater the deduction. This means that it is possible – or even likely – that a contractor can receive a negative score.
Standards that have a great impact on system security will deduct 5 points if missed, standards that have a more limited impact will deduct 3 points, and standards that have an indirect effect on cybersecurity will each deduct 1 point. Most of the standards are “all or nothing” with partial implementation resulting in a full deduction; however, a few of the standards will deduct 3 points for partial implementation, and 5 points for non-implementation. For example, if multi-factor authentication is implemented for remote or critical staff, but not general staff, 3 points are deducted, but if multi-factor authentication is not implemented at all, 5 points are deducted. Remember however, that this is the exception, and not the rule. NIST SP 800-171 Assessment Methodology Version 1.2.1, (5)(d).
Additionally, certain standards are reliant on other standards, and therefore these reliant standards, individually called a derived security requirement, will have their points deducted when the standard they rely upon, called a basic security requirement, is not met. Therefore, failing a high-impact basic security requirement with several derived security requirements attached to it will result in a very large reduction in score, since the points from both the basic cybersecurity standards and the associated derivative standards are deducted from the final score. The net effect of this is that sometimes a very low score resulting from a non-implemented basic standard can be surprisingly easy to remedy. NIST SP 800-171 Assessment Methodology Version 1.2.1, (5)(d)-(e).
The 252.204-7020 clause asks for the date at which the contractor will fully meet NIST SP 800-171 requirements. This is requirement is repeated in the assessment methodology. Having a written plan of action for compliance with NIST SP 800-171 requirements is one of the standards set forth in NIST SP 800-171.[1] NIST SP 800 171 Assessment Methodology Version 1.2.1, (5)(g).
The methodology includes exceptions for isolated temporary non-implementation associated with quickly changing situations, and disruptions caused by the implementation of other standards. These temporarily non-implemented standards will be considered implemented as long as they are truly temporary and isolated. Full details on this can be found at NIST SP 800-171 Assessment Methodology Version 1.2.1, (5)(h).
Part 2 – Cybersecurity Assessment Levels
The second element detailed asks who is doing the assessing, and how they are doing that assessment. This is important to the second element of the assessment. Each assessment is given a rating based on its trustworthiness. The three assessments are “Basic Assessment,” “Medium Assessment,” and “High Assessment.” Each rating is associated with a confidence rating – “basic,” “medium,” and “high” respectively. It is worth reiterating that this is not a rating of how secure an entity is, nor is a rating of how secure a system the contractor uses. It is a rating detailing who and how the assessment was conducted – it’s a trustworthiness or confidence rating. The basic assessment is a low confidence assessment, and the high assessment is a high confidence assessment.
Basic Assessment
The basic assessment is performed by the contractor itself. DFARS 252.204-7020(a). This assessment will require the contractor to review their own system security plan. Id. The contractor will assess how well it complies with its own security plan’s requirements, and how well that security plan meets the standards set forth in NIST SP 800-171. Id. Since this score is a self-assessment, it receives a confidence score of “low.” DFARS 252.204-7020(a). Id.
Medium Assessment
The medium assessment is a step-up from the basic assessment, and builds upon that basic assessment. Id. This assessment is performed by the government, and is a review of the contractor’s basic assessment detailed above. Id. The government will review the contractor’s basic assessment and the documents they used to produce that assessment. Id. Then the government will ask the contractor any questions they need answered in order to properly assess the contractor’s system security plan. Id. This review results a confidence score of “medium.” Id.
High Assessment
This assessment is also performed by the government. The high assessment builds on the contractor’s basic assessment, and includes all of the review elements included in the government’s medium assessment. Id. In addition to those medium assessment requirements, the government is reviewing the contractor’s system security plan in accordance with the review standards set out at NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Id. The review standards set out at NIST SP 800-171A are more advanced, and as such, the government is assessing which of these more advanced standards the contractor has met. This review results in a confidence score of “high.” Id.
The contractor has 14 days after the government has finished a medium assessment or a high to rebut the summary score the government has provided. DFARS 252.204-7020(e).
Subcontractors
Prime contractors hiring subcontractors to work on contracts with the requirements set out by the cybersecurity assessment clauses should ensure that a subcontractor has completed a basic assessment, and complies with the standards required by their contractor. DFARS 252.204-7020(g). Subcontractors should submit basic assessments through the same portal as prime contractors. Id.
Using the Assessments
These assessments are used alongside the cybersecurity requirements detailed at DFARS 252.204-7012. Solicitations including DFARS 252.204-7012 ask contractors to meet the basic requirements set out at NIST SP 800-171 (requiring contractors to meet the 110 standards on contracts including the clause). This clause is included in contracts that will include controlled unclassified information[2]. These solicitations will require contractors to meet the NIST SP 800-171 standards at a certain confidence level. See generally, DFARS 252.204-7012. Contactors should have an assessment in SPRS at the correct confidence level to be awarded the contract. See generally, 252.204-7020, 252.204-7012.
Review of NIST SP 800-171
NIST SP 800-171 is a set of 110 cybersecurity standards intended to ensure the protection of controlled unclassified information during performance of a DoD contract. The broad families of standards are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
No system is unbreachable, but meeting these standards means contractors will have a lower likelihood of being breached, are more likely to know when they have been breached, and will know what information was compromised following a breach.
The Future of Cybersecurity in Government Contracting
Cybersecurity is becoming ever more important in government contracting. These requirements represent a bridge between the earlier DFARS 252.204-7012 requirements, which asked contractors to self-certify that they met the standards set out at NIST SP 800-171, and the even deeper requirements represented by the CMMC.
The recently DoD proposed a timetable for CMMC compliance. They expect the final version of the CMMC to be release in early 2025. Once that final rule is released, it begins a 4-phase process. The early phases will require self-assessment, but the later phases will require cybersecurity certification by outside cybersecurity assessors. By the end of the three and a half year phase-in, the CMMC’s requirements will have full-effect in DoD procurements subject to DFARS 252.204-7021.
Phase 1 – On the Effective Date of the CMMC/Revised DFARS 252.204-7021
Phase 1 will come online the on the CMMC’s effective date. During this first phase of CMMC rollout, the government will begin putting CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment in its contracts. DoD is given the option to include the requirements in the exercise of options, and may, at its discretion, require CMMC Level 2 Certification Assessment on new procurements.
Phase 2 – Six Months After the Start of Phase 1
Six months after phase 1, phase 2 of the CMMC rollout will begin. In addition to the requirements of phase 1, phase 2 will have DoD requiring CMMC Level 2 Certification Assessments in all appropriate solicitations. Additionally, at its discretion, it may begin to include CMMC Level 3 Certification Assessments in new procurements.
Phase 3 – One Year After the Start of Phase 2
One year after the start of phase 2, phase 3 will begin. During this phase, DoD will require CMMC Level 2 Certification Assessments in all relevant solicitations and for options exercised after the start of phase 3, even on procurements that started prior to phase 3. Additionally, it will require CMMC Level 3 Certification Assessment for contracts, and option exercises on contracts that warrant that degree of security. However, retains the right waive the CMMC Level 3 Certification Assessment requirement for contact award, postponing that requirement until awarding an option.
Phase 4 – One Year After the Start of Phase 3
This is the final phase of CMMC, where the CMMC is in full effect. The full requirements of the CMMC will be applied to each DoD procurement, as appropriate.
[1] A lack of plan of action for unimplemented security requirements will result in Security Requirement 3.12.2 being assessed as ‘not implemented.’ This will deduct 3 points from your cybersecurity assessment.
[2] Controlled Unclassified Information is unclassified information the United States Government creates or possesses that requires safeguarding or dissemination controls limiting its distribution to those with a lawful government purpose. CUI may not be released to the public absent further review. Short version: CUI is whatever the government says is CUI. It is possible for a contractor to create CUI (ie: its not all government-created).