New Department of Defense (DoD) regulations related to government contractor cybersecurity requirements become effective Nov. 30, 2020.
The progressive steps to mandatory contractor Cybersecurity Maturity Model Certification (CMMC) are expected to roll out over the next five years. However, certain preliminary actions are required this month to ensure that contractors are eligible for award of new contracts, task orders, delivery orders or option terms.
History of Cybersecurity Requirements. The new CMMC requirements build on existing regulations. Under DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractors are required to comply with National Institute of Standards and Technology (NIST) SP 800-171, in the protection of certain contractor and government information. Defense contractors and subcontractors are required to provide "adequate security" to store, process or transmit Controlled Unclassified Information (CUI) on information systems or networks, and to report cyber incidents that affect systems or networks. Based on DoD research, contractors essentially performed system gap analysis and developed a plan for compliance, or Plan of Action and Milestones (POA&M). However, the government has had low visibility regarding contractor’s actual implementation and compliance with the 110 NIST SP 800-171 security requirements.
New Requirements. Contractors must be compliant with certain new regulations under Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). Primarily, defense contractors are required to take two steps: (1) demonstrate implementation of NIST SP 800-171 on their information systems that process CUI, and (2) take steps to protect Federal Contract Information (FCI) and CUI on their information systems in preparation for full compliance and verification under the new CMMC Framework. Contractors must flow these requirements down to subcontractors.
Under the first step effective Nov. 30, in accordance with solicitation requirements and DFAR 252.204-7019, contractors that are required to implement NIST SP 800-171 must perform a Basic Assessment (as defined in DFAR 252.204-7020, NIST SP 800-171 DoD Assessment Requirements). In addition, the results of the Basic Assessment must be posted on the DoD Supplier Performance Risk System (SPRS). This reporting mechanism provides visibility to DoD Components into the scores of Assessments completed by contractors. To be eligible for award, contractor assessments must be current (i.e., not more than 3 years old).
The second step described in the new regulations includes a plan for preparation for contractor CMMC compliance, including an envisioned small business, phased rollout over one to seven years. Building upon the NIST SP 800–171 DoD Assessment Methodology, the CMMC framework adds “a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.” The new regulations include future procedures for solicitations, contracts, task orders, delivery orders and option extensions that require CMMC compliance.
Until Sept. 30, 2025, contractual requirements for CMMC compliance must be approved by the Office of the Under Secretary of Defense for Acquisition & Sustainment OUSD (A&S). On or after Oct. 1, 2025, compliance through the new regulation (DFAR 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement), will be included in all solicitations, contracts, and task orders or delivery orders. The requirement will apply to awards, including those using FAR part 12, procedures for the acquisition of commercial items, except for procurement of commercially available off-the-shelf (COTS) items.
McGuireWoods’ government contracts and data privacy and security teams help clients prepare for CMMC compliance requirements, ensuring that they have taken the necessary steps to achieve CMMC certification. Defense contractors who (1) contract with defense agencies and (2) store FCI or CUI electronically should monitor CMMC updates closely. Please contact the authors if you have any questions about CMMC and its potential impact on your business, or require assistance interpreting the governing rules and regulations.