As detailed in our previous post, the Department of Defense (DoD) is highly concerned about the protection of sensitive information residing on contractor networks. In order to ensure that contractors are employing adequate controls to safeguard information, requirements have been inserted into DoD contracts, providing the federal government with legal remedies should contractors fail to meet their agreed to obligations. In this post we will provide an overview of the Defense Federal Acquisition Regulation Supplement (DFARS) requirements that contractors must adhere to when included in their DoD contracts.
I. DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”
In October of 2016, to enhance the security of information within the Defense Industrial Base (DIB), the DoD implemented DFARS 252.204-7012. This clause requires contractors that utilize Covered Defense Information (CDI) to provide adequate security for that information when being processed, stored, or transmitted on their networks. Adequate security is described in the clause as the implementation of the 110 security requirements contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. For any requirement that is not implemented, contractors are to document a remediation plan in a Plan of Actions and Milestones (POAM).
However, it should be noted that NIST compliance does not equate to DFARS 252.204-7012 compliance, as that clause includes additional requirements, with one being the rapid reporting of cyber incidents. A cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” Under this requirement, contractors must report any cyber incident to the DoD Chief Information Officer within 72 hours of identification. Contractors must possess a medium assurance certificate to report the incident, submit malicious software to the DoD Cyber Crime Center, preserve impacted media for 90 days, and cooperate with the DoD if more information is needed.
Lastly, it should be noted that this rule does not only apply to prime contractors – all sub-tier contractors that handle CDI in performance of their contracts must also ensure that they meet the cybersecurity requirements of NIST SP 800-171. Subcontractors are often targeted by attackers since they typically have less sophisticated security measures in place than larger primes but may possess valuable program information. Prime contractors are required to flow the clause down in subcontracts that will require the use of CDI.
In order to be awarded a contract, the contractor responds to the RFP effectively certifying that it complies with the clause. But this self-attestation has led to many contractors stating they have implemented all 110 controls without fully validating that the controls are in place or identifying where CDI resides within their systems, causing the information to be just as at risk of a cyber-attack as before this rule was implemented.
II. DFARS 252.204-7019 & 7020 “Notice of NIST SP 800-171 DoD Assessment Requirements” & “NIST SP 800-171 Assessment Requirements”
Driven by the need to validate that contractors have fully implemented the NIST SP 800-171 controls, the DoD issued two additional requirements, DFARS 252.204-7019 and 7020, on November 30, 2020. These clauses require contractors to perform an assessment of their compliance with NIST SP 800-171 in accordance with prescribed methodology and control values, and submit their score to a federal database, the Supplier Performance Risk System (SPRS). Contractors are required to submit a date by which all 110 controls are to be fully implemented, and they have the capability to update their score within SPRS as they remediate identified control gaps.
The clause’s wording describes three assessments which can be conducted with varying levels of confidence: Basic, Medium, and High. Basic assessments are conducted by the contractor and result in a low level of confidence. Medium and High assessments are conducted by DoD personnel and require that the contractor provide access to facilities and information in order for assessors to conduct a thorough document review to validate that controls are actually fully implemented. At each level, a system security plan must be available for evaluation in order for the assessment to be completed.
Under these clauses, it is not required that a contractor have a perfect score in order to be awarded a contract, but the contractor must have a submitted score, which will be considered current for three years since the date of assessment. While the DoD has not stated that the score value will be used as an evaluation factor, it is easy to imagine that scores of competing offerors may be considered in a competitive evaluation.
III. DFARS 252.204-7021 “Cybersecurity Maturity Model Certification Requirement”
Initially announced in the summer of 2019, the Cybersecurity Maturity Model Certification (CMMC) requirement was formalized on November 30, 2020 through DFARS 252.204-7021. This framework will be utilized by the DoD to ensure that contractor cybersecurity practices have been assessed and verified by qualified and objective third parties prior to those contractors being awarded a government contract. Building on the self-assessment model of 252.204-7012, the CMMC framework will utilize a maturity rating of Levels 1 – 5 to assign an increasingly robust set of security requirements for contractors based on the sensitivity of the data in DoD contracts. To be eligible for award, contractors must receive a third-party certification validating that all required cybersecurity requirements are implemented and operating in accordance with the specific contract rating. At this time, official guidance is that no POAMs will be accepted.
While the DoD has initiated this requirement and is responsible for determining the rating of its contracts, the CMMC infrastructure will largely be managed by an independent, non-profit, and private organization, the CMMC Accreditation Body, and certification assessments will be conducted by third-party assessors known as CMMC third-party assessor organizations, or C3PAOs.
The requirement is to be rolled out over a 5-year period, and by 2026, all DoD contractors (other than those providing commercial off-the-shelf items) will be required to meet the minimum requirements aligned to Level 1 (17 requirements). Any contractors utilizing Controlled Unclassified Information (CUI) to perform the contract scope will need to have all 130 requirements aligned with Level 3 implemented in order to receive a certification to perform on contracts with a Level 3 rating. It is anticipated that contracts requiring certification at Levels 4 and 5 will be rare, though contractors working with developmental and highly sensitive defense technology should be aware that they may be required to meet the most rigorous cybersecurity standards of the framework (up to 171 requirements). Failing to receive a certification effectively prohibits a contractor from working on DoD contracts.
Lastly, the CMMC requirement will be required for contractors at all tiers, meaning any company that will be performing on a DoD contract will need at least a Level 1 certification. This could have huge ramifications across the DIB, and prime contractors must understand how this requirement will impact their lower-tier suppliers and determine if contingency sourcing plans should be developed.
IV. Impact on Contractors
The latest DFARS cyber requirements allow for enhanced insight into the security posture of the DIB, something that was greatly missing before the recent rules were established, and they foster the desired progression of cybersecurity maturity by validating whether or not contractors have fully implemented controls focused on the protection of information. However, there are many questions that remain. For example:
- What is considered a good or bad score, and how much weight will evaluation officials place on scores when awarding contracts?
- Who is ultimately responsible for determining when information being developed by contractors becomes CUI, and how might that affect the system boundaries initially determined to be in-scope by the contractor?
- How will contractors be selected for Medium and High assessments to be conducted by government officials?
- How will disagreements between contractors and customers or assessors be mediated given the level of subjectivity of certain control requirements?
- What is the risk of a false claim if a contractor submits a score in good faith that is later deemed to be inaccurate?
- Will the consideration of cybersecurity in the source selection and evaluation process result in expanded grounds for bid protests?
- How will contractors balance rate competitiveness against cost recoverability, and will this impact the level of security ultimately implemented?
- What quality control mechanisms will be employed to ensure the assessment methodologies of the C3PAOs are consistent and appropriate across all assessments?
While many of the NIST security requirements are basic practices that numerous organizations employ as a matter of good cyber hygiene, their inclusion in a federal contract requirement opens contractors to a variety of risks, primarily their ability to be awarded contracts. In the competitive marketplace of defense contracting, the inability of a contractor to comply with the DFARS cybersecurity requirements may result in a drastic loss of business.
As the uncertainty continues, organizations are best served by staying prepared and conducting assessments now to identify gaps and weaknesses. While questions remain outstanding, much guidance has been issued to date which should provide entities with a general roadmap to compliance. Chess Consulting has been assisting our clients since the issuance of 252.204-7012 and can provide insight from our experience with dozens of clients across industry sectors. If you have any questions regarding the requirements discussed, please reach out to set up a discussion.