On November 30th, the Department of Defense (DoD), updated their supply chain regulations to ratchet up accountability of defense contractors using covered defense information in support of a contract. The Defense Federal Acquisition Regulation Supplement (DFARS) added clauses:
- 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
- 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
- 252.204-7021 Cybersecurity Maturity Model Certification
I’ll go into each of these clauses in detail below, but here are the cliff notes:
- Effective immediately, DoD supply chain members should begin flowing down these clauses to all vendors and suppliers, excluding commercial off the shelf (COTS) vendors.
- Suppliers and DiB members looking to win new business or up for renewal, which will be handling CUI, need to perform a Basic Assessment and upload those results to the Supplier Performance Risk System (SPRS) before these contracts can be awarded.
- Suppliers and DiB members currently operating under an existing contract should have a current SSP and POAM. Renewals may include the new CMMC L3 requirement for safeguarding covered defense information.
- Suppliers and DiB members currently operating under an existing contract should also have a medium assurance certificate and explored reporting incidents to https://dibnet.dod.mil.
What is CUI?
That’s the multimillion dollar question for most companies. Covered Defense Information referred to in 252.204-7012 means unclassified controlled technical information or other information as described in the CUI registry. http://www.archives.gov/cui/registry/category-list.html
If you’re like me, that definition wasn’t very helpful. Bottom line, DoD defines CUI and notifies you about it either in the contract vehicle or a DD Form 254. We found this training very helpful, and you may also. https://securityhub.usalearning.gov/index.html
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
In order to be considered for award, if required to implement 800-171, the offeror shall have a current, accurate and relevant SPRS entry, not more than 3 years old, but if you don’t you can submit a self-assessment using the DoD scoring model.
DCMA has been running around doing medium and high assurance assessments for applicable contractors and uploading those results into the SPRS, but if they haven’t gotten to you yet, or your lucky and your organization will not require one, and you’re up for some new business or a renewal, you’ll want to do that Basic self-assessment and upload to SPRS.
DoD is still trying to understand the impact of 800-171 on suppliers and their ability to meet these basic safeguarding requirements. So, I would encourage you to report to SPRS even if you don’t have a perfect score. 252.204-7019 is part of an overall supply chain illumination effort. While DoD may use the score to determine if an organization is “responsible”, it is important to report accurately to avoid liability under the False Claims Act! You can always update your score as your cyber security maturity improves.
Now if you’re a sub to another prime in the supply chain, you may receive notification from the prime to to update them that you have submitted a score to SPRS.
252.204-7020 NIST SP 800-171 DoD Assessment Requirements
Low, Medium and High assurance assessments will be required based on how much risk is associated with doing business with your organization. We have hands-on experience with assessments up to the high assurance level. We have found the DCMA to be very friendly and informative, being prepared will help to ensure a smooth and successful result.
The Basic self-assessment consists of building a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) which is needed to generate an Assessment Methodology score (this is a scaled score of 110 points, based on the DFARS control requirements). The scoring method used for the DoD Assessment Methodology can be a little confusing. To help with this, we have designed a spreadsheet, that we have made available as a free download. This tool will help your organization self-assess and provide a score against the NIST 800-171. The score will need to be provided to the DoD along with a date of completion for any insufficient items. Inside of the scoring methodology spreadsheet you will also find instructions for how to register on the SPRS portal and submit your score.
Of course, you may want to review the scoring methodology straight from the source: https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
The interim rule introduces new clauses and formalizes the CMMC. The “here and now” requirements are established via the DFARS 252.204-7019 and 252.204-7020 clauses as it pertains to the assessment methodology. This requires contractors and subcontractors to have their assessment score available on SPRS. While the DoD has not yet stated how the scores will be used, the score does provide information that contracting officers could use to assess risk and the ability to safeguard data shared.
252.204-7021 Cybersecurity Maturity Model Certification
Once more unto the breach, dear friends!
With the introduction of 7021 comes more concrete evidence that CMMC requirements are the long-term framework for managing cybersecurity risk associated with safeguarding covered defense information in the supply chain. 252.204-7019 and 252.204-7020 are to provide the DoD with supply chain illumination during the transition to CMMC, but CMMC is here to stay. If you anticipate doing business with the DoD under a current small business, joint venture or other partnership mechanism, you will want to prepare to be CMMC audit ready.
Beginning in 2021 CMMC requirements will begin a gradual introduction into DoD contracts and those requirements will be flowed down through the supply chain. In addition, it is likely that many prime contractors will begin to establish timelines and requirements to reduce the risk of business disruption. Now is a really good time to assess your organization against NIST 800-171 and develop a plan for where your organization will need to be against the CMMC! A key step is to make sure that these new requirements are implemented for your organization in a way that makes sense, aligns with your business culture, and is correctly scoped. Helping your organization find the right scope for the data you are handling is important. The proper scope will save major time and investment. Where possible establishing enclaves where CUI will be safely viewed and handled will greatly benefit your organization.
Remember that CMMC is a maturity model and not just something to implement. Successful certification for CMMC means adoption of mature processes and culture and involves more than just tools. CastleLock has experienced and certified Registered Practitioners (RP) to complete a DFARS Interim self-assessment or to conduct a gap analysis for your company. Registered Practitioners have completed a rigorous course that consists of the information necessary to pass the upcoming CMMC assessments.
CastleLock has been providing the DoD supply chain data safeguarding guidance and assessments on DFARS and NIST 800-171 since 2015. CastleLock has consultants authorized by the CMMC-AB to provide pre-assessments and guidance on the Cyber Security Maturity Model Certification.
Contact us at the link below or at firstname.lastname@example.org to discuss how we can help you and your company with these important requirements.