New Cybersecurity Compliance for the Department of Defense Supply Chain
By Carmen Vizaino
Partner Wahid Vizcaino LLP
On September 29, 2020, the Pentagon set forth a new interim Defense Federal Acquisition Regulation (DFAR) known as 2019-D041. The purpose of the new rule is “to implement a Department of Defense (DoD) Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.” The public comment period on this interim rule is 60 days, so we have until November 30, 2020, to make our views known.
The goal of the proposed rule is to implement a new approach to cybersecurity for companies that are part of the defense industrial supply chain base, known as the DIB in DoD circles. The current approach asks DIB members to self-attest they have all reached the same set of requirements to secure the controlled but unclassified information handled when executing DoD contracted work. This is known as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology. (See DFAR 252.204.7012) A basic assessment is a self-assessment completed by the contractor, while medium or high assessments are completed by the government.
The proposed change would add to this standard a varied set of requirements for a DIB member depending on what the contract requires of the company and would replace self-attestation of compliance with third-party verification of compliance. This is known as the Cybersecurity Maturity Model Certification (CMMC) framework. According to the interim rule, “the NIST SP 800-171 DoD Assessment and CMMC assessments will not duplicate efforts from each assessment, or any other DoD assessment, except for rare circumstances when a re-assessment may be necessary, such as, but not limited to, when cybersecurity risks, threats, or awareness have changed, requiring a re- assessment to ensure current compliance.”
The CMMC model uses best practices from various recognized standards including the current NIST SP 800-171 requirements in a cumulative process broken into five levels. In addition to the protection of Controlled Unclassified Information (CUI), the CMMC covers the protection of Federal Contract Information (FCI) as outlined in the regulations. The advantage of the CMMC over the current NIST regulations allow for a business to become cybersecurity complaint with less requirements based upon what the contract is asking of the company. A DIB member that cuts the lawn on a government facility may need less requirements than a member who creates parts for a fighter jet, so why force them to the same standard?
The interim rule also sets out how the third-party assessments shall be conducted. “An accredited third party (C3PAO) will conduct the assessments and upon successful completion will be awarded certification by the CMMC-AB. This information is recorded in the Supplier Performance Risk System (SPRS) for confirmation prior to a future contract award. CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively commercial off the shelf, COTS, items) valued at greater than the micro-purchase threshold” [currently $10,000 based on 10 U.S.C. §2338], “starting on or after October 1, 2025.” In short, this means the CMMC Accrediting Body is the only entity that can certify your company and you have to use a third-party assessor licensed through that entity, and everyone in the DIB will have to comply by the end of fiscal year 2025.
The interim rules proposed are in the form of three new DFARS and they are as follows:
“The new DFARS provision 252.204-7019 advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award.” So, if you have a contract with DoD now, you are likely good to go until the end of that contract or three years from the start of that contract. Whichever comes first.
“The new DFARS clause 252.204-7020 requires a contractor to provide the government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level assessment.”
“A new DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in all solicitations and contracts or task orders or delivery orders, excluding those exclusively for the acquisition of COTS items. This DFARS clause requires a contractor to: Maintain the requisite CMMC level for the duration of the contract; ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments; and include the requirements of the clause in all subcontracts or other contractual instruments.” This is applicable at the time of the award.
“To achieve the desired policy outcome, DoD intends to apply the new provision and clauses to contracts and subcontracts for the acquisition of commercial items and to acquisitions valued at or below the simplified acquisition threshold, but greater than the micro-purchase threshold. The provision and clauses will not be applicable to contracts or subcontracts exclusively for the acquisition of commercially available off-the-shelf items.”
While “the cost of these CMMC assessments will be driven by multiple factors including market forces, the size and complexity of the network or enclaves under assessment, and the CMMC level”, some costs for company assessments have been estimated in the DFARS 2019-D041 document. The estimated costs project how much the company will likely invest in staff time to work with the assessor and separately project how many hours the assessor will likely spend conducting the actual assessment. Each of those times are converted into dollars to arrive at the estimated cost for a particular third-party assessment. For example, the total cost for a CMMC Level 1 assessment is $2,995.56. This is based upon $1,166.48 for contractor support, your company employee time, and $1833.08 for the time of the actual third-party assessor.