Almost three full years since the implementation of the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, the US Department of Defense (DoD) publicly recognized DFARS 7012, alone, was not effective in driving government contractors in the Defense Industrial Base (DIB) to properly protect Controlled Unclassified Information (CUI). Throughout the opening discourse of the 89 page DFARS Interim Rule released today, the DoD makes the case that contractors are self attesting to compliance with DFARS 7012, yet the majority of them are not actually making the necessary changes to their systems and processes to meet the requirements.
Special thanks to Kris Carter, of Verify for specific contributions and close review.
The DoD is looking to close the gap on security and compliance through enforcement of existing requirements and codifying Cybersecurity Maturity Model Certification (CMMC) into the contractual requirements of solicitations moving forward. This will ensure that any self attestation provided by a contractor is backed up with a third party audit and certification that is centrally reported and managed for all contracting officers (KO) to see.
As part of this interim rule there are three new DFARS Clauses identified. I expect that all three clauses will be included together in contracts moving forward as they rely on one another, similar to the existing DFARS 252.204-7012 and its sister clauses.
One important thing to note before we delve into the rest of the blog: some in the industry speculated there would be a change or removal of the previous DFARS 7012 requirements. As of the release, there are no modifications to the rule and the preexisting requirements listed below still stand.
- FedRAMP Moderate for Cloud environments
- NIST 800-171,
- Paragraphs C-G for Incident Response / Forensics,
- Medium Assurance Certificate
The New DFARS Clauses
This new DFARS clause notifies the contractor that they are required to maintain a record within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system. This means that each contractor will need to have a Basic, Medium or High assessment completed at least every three years and ensure that it is properly reported within SPRS.
Click here to access the SPRS. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE). Click here to access the PIEE. You will need a certificate to register /authenticate to PIEE / SPRS.
Conceived from challenges that the DoD has faced in accessing contractor facilities and systems for assessments, DFARS 7020 requires a contractor to provide access to its facilities, SYSTEMS, and personnel when the DoD is conducting or renewing a Medium or High assessment.
You can no longer tell an assessor "You can't touch my keyboard" during an audit. Additionally, it requires that a contractor ensure all of their lower tier subcontractors have a current assessment in SPRS in accordance with 252.204-7019. Similar to DFARS 7012, there is also a flow-down component to ensure all subcontractors are pushing the current clause to their subcontractors, etc.
DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements
The DFARS 7021 clause is intended to codify the CMMC requirements into the federal regulatory framework. Rule documentation specifically requires CMMC be used or included in all contracts, task orders, solicitations, etc. - except for Commercial Off the Shelf (COTS) items.
While this clause requires that a contractor maintain the appropriate CMMC level for the duration of any contract and ensure that any subcontractors assigned to the contract do the same, it is important to note that the interim rule is set to require CMMC certification at the time of contract award. Given the language in that rule, it is certainly up for debate.
By not requiring CMMC certification at time of proposal submission (listed as alternative 1 in the interim rule) several concerns and/or questions come to mind:
- What happens when a company is selected for a contract, but then upon investigation it is determined that they do not yet have a CMMC certification?
- Will the contracting officer then move to the #2 selection in this instance?
- Will a company be given a set amount of time to remedy their lack of certification after award notice?
- What if the Prime contractor has achieved CMMC certification at the appropriate level, but one or more of their subs have not?
- Will the prime be able to remove non-certified or lesser-certified contractors from the team and accept the award?
- What if non-certified sub contractors were key components of the Prime’s team winning the contract?
The DoD is referring to its assessment methodology as the “NIST SP 800-171 DoD Assessment Methodology and the CMMC Framework”. A component of this methodology will be run directly by the DoD as part of the existing DIBCAC assessments. DCMA has about 274 assessors running these assessments on contractors across the world.
There are three assessment types under this methodology: Basic, Medium and High
- Basic: Similar to the self assessments / self attestations that have been taking place since 2018
- Medium and High: Assessments run by DCMA
Regardless of the type of assessment that you complete, the results will be logged in SPRS. These assessments must be completed and reported every three years at a minimum.
The second assessment is the CMMC framework. This will build on the aforementioned DoD assessment and may go beyond the NIST 800-171 requirements depending on the type of data involved (FCI or CUI). As has been previously discussed, CMMC will require a C3PAO to do the assessment and provide the certification to the appropriate level through the CMMC Accreditation Body. The level will then be recorded in the SPRS. These assessments will also be required every 3 years at minimum.
The rollout of CMMC will be phased through September 30, 2025, and all solicitations / contracts (except micro purchases) after that date will require a CMMC certification to be eligible for a contract award. Based on the diagram on page 31 of the document, it states that the C3PAO Assessments will rollout across seven years. It is slightly odd to list seven years when there are only five years until October 1, 2025, but a possible explanation is that not all companies will get the certification before 2025. Due to contract timing some will wait until year six or seven for example.
The total number of companies that are expected to be certified in years 1-7 are 163,391 with roughly 49,000 of them being Level 3 or above. Based on the flowdown rules and other reported metrics on the DIB, the potential numbers are going to be well above 49K for Level 3 certifications. While the diagram shows only a few hundred certifications in year one and 1,600 in year two, I believe based on the activity that I see in the market that many companies are going to front load their CMMC certification in order to make themselves eligible for as many contract opportunities as possible. Many may not wait until 2024 or 2025 to attain certification because they are looking to grow their contract base and maintain the contracts they already have.
Now we can move on to a complex subject and exciting topic: cost. A large portion of the interim rule document is devoted to the expected cost impact on the DIB as a whole, but more specifically on the small business community that makes up almost 75% of the DIB. As required by law, a Regulatory Impact Analysis (RIA) was conducted, and some of the information is listed in the interim rule. They break down the costs into two primary areas: Assessment Costs and Engineering Costs.
For the NIST 800-171 controls and DoD assessments, they only addressed the assessment costs. The cost to implement NIST 800-171 is not insignificant and has not yet been fully borne by the DIB. Which is interesting, because the vast majority of companies are not fully implementing NIST 800-171, as evidenced in the statistics provided within the first few pages of the interim rule. Essentially, the DoD has assumed that the cost for NIST 800-171 compliance has already been absorbed by the DIB since it has been in effect since December 31, 2017 and all of the DIB has been self-attesting to compliance.
Again, the numbers below represent the cost of a DoD assessment only and covers the approximate labor or time to tell / show the government that you are meeting the requirements. If you want the details on how these numbers were calculated, their math is in the interim rule.
- Basic (self) Assessment: $74.31
- Medium (Government) Assessment: $908.56
- High (Government) Assessment: $50,676
When we get to the costs for implementing the CMMC framework, we have to remember that these numbers assume that the company has already implemented all 110 NIST 800-171 practices. These costs are only meant to approximate the needed cost for the additional requirements that go beyond NIST 800-171 on the engineering side and the costs for running through the assessment process with a C3PAO.
Additionally, the numbers below represent the average for a small business entity spread over a 20 year period for engineering and a 3 year period for assessments. Level 3 costs are shown only in this blog because the majority of companies reading this content will be aspiring for this level. Data for Levels 1-5 are included in the interim rule.
- Engineering Costs: $41,666 per year (remember, this is only for the 20 additional CMMC controls, not NIST 800-171 or DFARS cost)
- Assessment Costs: 17,032 per year (*3 = $51,096 for each C3PAO assessment)
Final Thoughts on CMMC and DFARS Interim Rule
Are the cost estimates proposed in the interim rule accurate? Many in the industry say they are laughably low. I think that separating out the CMMC costs from the NIST 800-171 / DFARS costs brings them a little closer to reality; however, it is extremely difficult to accurately make that separation. In all honesty, it may be surprising that the costs were as high considering some in the community expected the government to perceive the costs to be even lower.
To some, the DoD seems to be disconnected from the actual costs of compliance and security efforts required for the DIB. When the rubber meets the road, will there be a successful drive, or just a burnout?
Not called out in the ruling or supporting documents is the US' international industrial base. With known gaps in the communications going to these areas and in some cases governments advising industry not to follow DFARS -7012, what kind of ‘shock to the system’ may we incur by requiring DAM scores be submitted starting 60d from effective date? Additionally, can we expect these same organizations to submit their detailed status to a foreign government or permit foreign assessors (DIBCAC or CMMC) into their inner workings?
Considerable Questions Regarding the Rule
- Potential Conflicts in Reporting - Several discussions in industry have highlighted that organizations who have not made much progress may find themselves in a position where their scoring could be either fraudulent or go against previous statements. The potential for False Claims Acts actions rises dramatically.
- Exercising Contract Options - I may be reading more into this than warranted, but it would seem that these existing contracts will be the most challenging due to the fact that supply chain will need to be briefed and conduct the DAM scoring rapidly. Nearly all else in the ruling will affect new contracts and involve discussions and budgeting activities whereas these don’t have those same luxuries.
- CUI Identification & Control - Still not addressed is how we can ensure that what DoD provides to the primes is adequately marked to ascertain the appropriate CMMC Maturity Level that should apply to them. Then, how that is then broken apart and applied down through each layer of the supply chain.
- Scoring Visibility - There is clear information on how each prime/supplier is to get their score/certification into SPRS. However, there is no discussion on how a prime is to “ensure” that their subcontractors have current scores/certifications uploaded. We have yet to receive revised guidance on a prime’s ability to retain scoring/certification levels within their own supplier databases. Previously, industry was advised that it was not to collect or store this information.
- Liability for Primes - It would seem that until this ruling, many primes and mid-tiers have been able to maintain an arm’s length naiveté regarding the true status of their supply chain. Through the use of flowdowns and reps & warrants, the prime could demonstrate that their subtiers were indicating that they were compliant. With registration or certification by a third party, and the enhanced use of the term “ensure” for supply chain compliance, it may be difficult for the prime to maintain this arm’s length positioning. Should scoring become available, an organization may be faced with tough decisions on whether they are liable for knowingly working with insecure subcontractors… or at least factoring in some risk associated with this.
What are Next Steps?
This new rule is put in place as an Interim rule. Essentially, this means that the new clauses can go into effect on the specified date (November 30th) after a comment period of 60 days. During this comment period, the government will accept industry feedback and will release a final rule to incorporate any necessary changes as identified throughout the comment process.
If you have comments that you would like to make on the interim rule, you can submit your comments via the following:
- The Federal eRulemaking Portal: http://www.regulations.gov
- Emailing firstname.lastname@example.org and including "DFARS Case 2019-D041" in the subject line
Katie Arrington on the DFARS Interim Rule
Katie Arrington (CISO A&S at United States Department of Defense) recently spoke at a keynote session from The Cloud Security and Compliance Series (CS2). In this video, she discusses the latest DFARS Interim Rule, DFARS 7012, 7019, 7020 and 7021 (A.K.A. the DFARS 70 Series), and its impacts on CMMC and the Defense Industrial Base.