October 26, 2020
Good afternoon, everyone!
As you know, the interim rule establishing the CMMC requirements was published on September 29 and takes effect November 30. There were a few surprises in this rule!
First, many people assumed that the DFARS clause Safeguarding Covered Defense Information and Cyber Incident Reporting (252.204-7012) would be re-written to include the CMMC. In fact, that clause remains intact (and still in force! don’t forget it’s more than just the NIST 800-171 controls). The new interim rule is a supplement to the 7012 clause and has three parts:
- 252.204–7019 Notice of NIST SP 800–171 DoD Assessment Requirements
- 252.204–7020 NIST SP 800–171 DoD Assessment Requirements
- 252.204–7021 Cybersecurity Maturity Model Certification Requirements
The first two (7019 and 7020) introduce a new DoD Assessment requirement for all contractors and subcontractors who handle CUI, and it takes effect on November 30 for everyone, not on a five-year rollout plan like the CMMC. The DoD Assessment does not have to be done by an independent third party (as does the CMMC), it can be a self-assessment. Read on for more information on this.
The new DFARS provision 252.204-7019 advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award. The provision requires offerors to ensure the results of any applicable current Assessments are posted in SPRS and provides offerors with additional information on conducting and submitting an Assessment when a current one is not posted in SPRS.
What is SPRS? That’s the Supplier Performance Risk System database:
SPRS is the Department of Defense’s single, authorized application to retrieve suppliers’s performance information. SPRS is web-enabled enterprise application that gathers, processes, and displays data about the performance of suppliers.
Historically, government contractors are scored on three factors in determining an award: Cost, Schedule and Performance. The new 7019 and 7020 clauses are adding the DoD Assessment results to the contractor’s Performance score. The 7020 clause describes the three types of DoD Assessments:
- A Basic Assessment is a self-assessment of the contractor’s implementation of NIST SP 800-171
- A Medium Assessment is conducted by the Government, consisting of review of the contractor’s Basic Assessment and discussions with the contractor
- A High Assessment is conducted by Government personnel using NIST SP 800-171A which adds ”Verification, examination, and demonstration of a Contractor’s system security plan” to the review process
A Basic Assessment “Results in a confidence level of “Low” in the resulting score, because it is a self-generated score” while a Medium Assessment ”Results in a confidence level of “Medium” in the resulting score” and a High Assessment “Results in a confidence level of “High” in the resulting score. And who are the “Government personnel” doing these assessments? Presumably that would be the folks from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) who have been performing High Assessments (on a voluntary basis) of large defense contractors since last year. I’ll talk more about DIBCAC some other time.
The new 7020 clause requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment. The clause also requires the contractor to ensure that applicable subcontractors also have the results of a current Assessment posted in SPRS prior to awarding a subcontract or other contractual instruments. (emphasis added)
So, to summarize, prior to the next contract award after November 30, if you handle CUI, you must have a DoD Assessment recorded in SPRS, and likewise any of your subcontractors who handle CUI. Contractors cannot access other contractors' information in SPRS (only government personnel can), so you will have to work out with your subs how they provide you with their DoD Assessment scores. I’ll talk about the form of the self-assessment, and the work of DIBCAC, in a future update.
Meanwhile, now is a good time to review your System Security Plan (SSP) and Plan of Actions & Milestones (POAM) and start working on any of the NIST 800-171 controls that you haven’t fully implemented. Let me know if you need help!
Please feel free to share this email with anyone you think needs this information! Anyone can have these updates delivered to their email inbox by signing up at https://www.theneteffect.com/cmmc/, and you can read past updates on our website, along with tons more information under the Resources tab.
Glenda R. Snodgrass, CMMC-RP
The Net Effect, LLC
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" --
sign up now!