On Jan. 31, 2020, the Department of Defense (DoD) released a cybersecurity framework with plans to mandate its implementation throughout the entire Defense Industrial Base (DIB). The Cybersecurity Maturity Model Certification (CMMC) grew out of the previous baseline, the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 standard. However, NIST SP 800-171 required only self-certification of compliance; CMMC requires a Certified Third-Party Assessment Organization (C3PAO) to independently assess and certify a company’s implementation of the framework’s requirements.

In addition to the new CMMC framework, DoD has updated its Defense Federal Acquisition Regulation Supplement (DFARS) rules, from the existing 252.204-7012 clause to three new clauses (7019, 7020 and 7021), to allow enforcement of CMMC and include additional NIST SP 800-171 assessment requirements until CMMC is fully adopted over the next few years.

These new clauses were effective beginning Nov. 30, 2020.¹ Existing contracts will not be affected unless a change order is requested, but all new contracts will include the 7019 and 7020 clauses, which require an 800-171 self-assessment or may include the 7021 clause if the contract has been selected for CMMC implementation. We explain these clauses in further detail below.

^{_{The DFARS rules explained}}

We know that all the new clauses can be confusing, so we found it’s easier to understand them if we parse each clause into plain English.

Existing rule: DFARS 252.204-7012

Since June 2016, DoD contracts have addressed contractor cybersecurity measures by including the 7012 clause, which required contractors handling controlled unclassified information (CUI) to comply with the NIST SP 800-171 requirements by Dec. 31, 2017. Contractors were only required to self-certify compliance with the requirements and were allowed partial compliance as long as a remediation plan for non-compliant elements was developed (i.e., a Plan of Action and Milestones [POA&M] document).

New rules

Simply put, the new DFARS rules follow a “crawl, walk, run” approach, giving the DoD greater assurance in the security posture of its supply chain while the CMMC is phased in.

• “Crawl”: DFARS 252.204-7019, basic self-assessment
  Contractors must complete and upload a current self-assessment (less than three years old) against NIST SP 800-171 requirements using the DoD’s assessment methodology² into the DoD’s Supplier Performance Risk System (SPRS) in order to be awarded a contract after Nov. 30, 2020. If the self-assessment score indicates less than full 800-171 compliance, the contractor’s timeline for remediation to full compliance must also be uploaded.
• “Walk”: DFARS 252.204-7020, medium/high assessment
  Contractors must provide the government with access to its facilities, systems and personnel for DoD to conduct or renew a higher-level assessment or audit to verify the accuracy of the basic self-assessment. The clause also requires the contractor to ensure that applicable subcontractors also have the results of a current assessment posted in SPRS prior to awarding a subcontract.
•  “Run”: DFARS 252.204-7021, CMMC certification
  If included, the contractor must have and maintain the requisite CMMC level for the duration of the contract. Contractors are also responsible for confirming that all subcontractors supporting the contract have a current CMMC certificate at the level appropriate for the information that is flowed down to them.

• “Crawl”: DFARS 252.204-7019, basic self-assessment
  Contractors must complete and upload a current self-assessment (less than three years old) against NIST SP 800-171 requirements using the DoD’s assessment methodology² into the DoD’s Supplier Performance Risk System (SPRS) in order to be awarded a contract after Nov. 30, 2020. If the self-assessment score indicates less than full 800-171 compliance, the contractor’s timeline for remediation to full compliance must also be uploaded.
• “Walk”: DFARS 252.204-7020, medium/high assessment
  Contractors must provide the government with access to its facilities, systems and personnel for DoD to conduct or renew a higher-level assessment or audit to verify the accuracy of the basic self-assessment. The clause also requires the contractor to ensure that applicable subcontractors also have the results of a current assessment posted in SPRS prior to awarding a subcontract.
•  “Run”: DFARS 252.204-7021, CMMC certification
  If included, the contractor must have and maintain the requisite CMMC level for the duration of the contract. Contractors are also responsible for confirming that all subcontractors supporting the contract have a current CMMC certificate at the level appropriate for the information that is flowed down to them.

Does this affect me… 

…if I currently fulfill DoD contracts

Yes. You are required to continue complying with the NIST SP 800-171 requirements under the 252.204-7012 clause for the duration of your existing contract. Current guidance dictates that the new 7019 and 7020 clauses are unlikely to be added to existing contracts, but the DoD continues to possess the right to audit contractors’ compliance and has been completing audits of some contractors in recent years. Failure to maintain compliance has already resulted in lawsuits against companies based on the False Claims Act.

…if I am pursuing new DoD contracts?

Yes. You must at minimum have a NIST 800-171 basic assessment on file for all new contracts initiated beginning Nov. 30, 2020. In addition, the DoD is phasing in contracts over the next few years to require all contractors and subcontractors to have a current CMMC certification at the appropriate level in order to be awarded new contracts. 

Though there is scant information regarding which contracts will require CMMC certification at what point(s) over the next few years, if you have the existing 7012 requirement and handle CUI, you will need a CMMC Level 3 certification and should:

• Continue working toward full NIST 800-171 compliance, since CMMC Level 3 includes all existing NIST 800-171 requirements plus 20 new requirements.
• Consider that your organization’s next contract bid may require CMMC compliance or the prime contractor may request their subcontractors to comply, even if not yet required. Failure to possess the certification when required may prevent your business from being awarded the contract.
• Consider that the certification process alone may take at least three months once you start the process and that remediation of identified gaps may take 6–12 months or more, depending on the nature of the cybersecurity gaps.

…if I currently fulfill federal contracts, but not DoD contracts?

No. You are not currently required to adhere to this interim rule or become CMMC-compliant, as this currently only applies to DoD contracts. However, the GSA Stars III contract will require CMMC certification;³ several other federal agencies have similarly indicated that they will likely adopt CMMC as a requirement for contractors in the future.

…if I do not plan to fulfill any federal contracts?

No. You are not currently required to adhere to this interim rule or become CMMC-compliant, as this currently only applies to DoD contracts. However, a report earlier this year released by the Cyberspace Solarium Commission, established by Congress, included recommendations for additional cybersecurity requirements, including reporting and management attestations for companies subject to Sarbanes-Oxley requirements, cloud security certifications and a national data security and privacy protection law.⁴ These elements are already being considered within legislative proposals for 2021.⁵

I’m required to comply. What now? 

Follow this simplified list of next steps before your next contract proposal or renewal:

1. Create a contract inventory to determine which contracts include the DFARS 252.204-7012 clause and identify when contract recompletes are pending.
2. Identify the flow of CUI and the covered contractor information systems, including third-party subcontractors.
3. Conduct a gap assessment against the NIST 800-171 and CMMC Level 3 requirements.
4. Develop a POA&M road map to facilitate the remediation of any identified gaps.
5. Be prepared to submit your NIST 800-171 score and expected POA&M completion date to the SPRS database upon request.
6. Remediate your gaps and update SPRS submission as your organization’s cybersecurity posture improves, at least on an annual basis.
7. Maintain an effective cybersecurity risk and compliance management program.

Remember, failure to hold a NIST 800-171 self-assessment score and expected POA&M completion date in SPRS after Nov. 30, 2020 may stop your business from obtaining a new DoD contract award. Additionally, nearly all of the 350,000+ DoD contractors will be required to be CMMC-certified in the next few years. CMMC compliance cannot be self-certified, so your organization must be assessed and certified by an accredited CMMC C3PAO.

¹“Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041),” Federal Register, accessed Dec. 11, 2020, https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

²“NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, Office of the Under Secretary of Defense for Acquisition & Sustainment, accessed Dec. 11, 2020, https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf

³“CMMC requirements show up in GSA’s STARS III contract,” Fedscoop, accessed Dec. 11, 2020, https://www.fedscoop.com/cmmc-requirements-federal-contract-stars-iii-gsa/.

⁴“Cyberspace Solarium Commission Report,” U.S. Cyberspace Solarium Commission, accessed Dec. 11, 2020, https://www.solarium.gov/report

⁵“Cyberspace Solarium Commission Report.”