On Jan. 31, 2020, the Department of Defense (DoD) released a cybersecurity framework with plans to mandate its implementation throughout the entire Defense Industrial Base (DIB). The Cybersecurity Maturity Model Certification (CMMC) grew out of the previous baseline, the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 standard. However, NIST SP 800-171 required only self-certification of compliance; CMMC requires a Certified Third-Party Assessment Organization (C3PAO) to independently assess and certify a company’s implementation of the framework’s requirements.
In addition to the new CMMC framework, DoD has updated its Defense Federal Acquisition Regulation Supplement (DFARS) rules, from the existing 252.204-7012 clause to three new clauses (7019, 7020 and 7021), to allow enforcement of CMMC and include additional NIST SP 800-171 assessment requirements until CMMC is fully adopted over the next few years.
These new clauses were effective beginning Nov. 30, 2020.1 Existing contracts will not be affected unless a change order is requested, but all new contracts will include the 7019 and 7020 clauses, which require an 800-171 self-assessment or may include the 7021 clause if the contract has been selected for CMMC implementation. We explain these clauses in further detail below.
The DFARS rules explained
We know that all the new clauses can be confusing, so we found it’s easier to understand them if we parse each clause into plain English.
Existing rule: DFARS 252.204-7012
Since June 2016, DoD contracts have addressed contractor cybersecurity measures by including the 7012 clause, which required contractors handling controlled unclassified information (CUI) to comply with the NIST SP 800-171 requirements by Dec. 31, 2017. Contractors were only required to self-certify compliance with the requirements and were allowed partial compliance as long as a remediation plan for non-compliant elements was developed (i.e., a Plan of Action and Milestones [POA&M] document).
Simply put, the new DFARS rules follow a “crawl, walk, run” approach, giving the DoD greater assurance in the security posture of its supply chain while the CMMC is phased in.
- “Crawl”: DFARS 252.204-7019, basic self-assessment
Contractors must complete and upload a current self-assessment (less than three years old) against NIST SP 800-171 requirements using the DoD’s assessment methodology2 into the DoD’s Supplier Performance Risk System (SPRS) in order to be awarded a contract after Nov. 30, 2020. If the self-assessment score indicates less than full 800-171 compliance, the contractor’s timeline for remediation to full compliance must also be uploaded.
- “Walk”: DFARS 252.204-7020, medium/high assessment
Contractors must provide the government with access to its facilities, systems and personnel for DoD to conduct or renew a higher-level assessment or audit to verify the accuracy of the basic self-assessment. The clause also requires the contractor to ensure that applicable subcontractors also have the results of a current assessment posted in SPRS prior to awarding a subcontract.
- “Run”: DFARS 252.204-7021, CMMC certification
If included, the contractor must have and maintain the requisite CMMC level for the duration of the contract. Contractors are also responsible for confirming that all subcontractors supporting the contract have a current CMMC certificate at the level appropriate for the information that is flowed down to them.