DOD contractors need to self-assess cybersecurity readiness by November 30, 2020, or risk loss of funding.
The theft of intellectual property and sensitive information due to malicious cyber activity threatens the USA’s national and economic security. In fact, over a 10-year period, it’s estimated to cost up to $1.1 trillion.
To counteract this issue, the DOD has released a number of clauses, rules, and standards over the last decade. Basically, their goal is to ensure that all contractors and subcontractors have cohesive, compliant processes and systems in place to safeguard covered defense information (CDI) and controlled unclassified information (CUI).
On Sept. 29, 2020, the Department of Defense (DOD) issued an interim rule, Assessing Contractor Implementation of Cybersecurity Requirements, that implements its “Cybersecurity Maturity Model Certification” (CMMC) program.
Effective November 30, 2020, the rule will apply to all DOD contracts and subcontracts for the acquisition of commercial items and to acquisitions valued at or below the simplified acquisition threshold. The provision and clauses will not be applicable to contracts or subcontracts exclusively for the acquisition of commercially available off-the-shelf items.
The security requirements and assessment methodologies of both the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and the Cybersecurity Maturity Model Certification (CMMC) framework will be used by the DOD to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
The CMMC details the methodology and framework necessary to assess contractor implementation of cybersecurity requirements. It lays out the policies and procedures for awarding a contract or exercising an option on a contract between November 30, 2020 and November 20, 2025.
By October 1, 2025, all entities receiving DOD contracts and orders, other than those exclusively for commercially available off-the-shelf items or those valued at or below the micro-purchase threshold, will be required to have the CMMC Level identified in the solicitation, at a minimum, CMMC Level 1 certification. Large and small businesses will be required to renew their certification every three years.
DFARS clause 252.204-7020, DOD Assessment Requirements, requires DOD contractors to immediately post assessments of their cybersecurity compliance on the DOD’s SPRS.
By posting, you demonstrate compliance and that you are a valid contractor for DOD funding and contracts. This is critical to new awards and to extending existing ones.
Prior to awarding a subcontract, prime contractors must ensure that the subcontractor has a current DoD Assessment posted in SPRS. This Assessment must have been completed in the last three years.
Subcontractors at all tiers should be aware of this requirement and ensure compliance to maintain eligibility for awards.
If a subcontractor does NOT have summary level scores of a current NIST SP 800-171 DOD Assessment posted in SPRS, they may conduct and submit a Basic Assessment to DOD for posting to SPRS along with the information required by paragraph (d) of the clause.
If you have any questions about this issue or any other issue with your DOD cost-reimbursable contract, please fill out the form below and one of our government contract accounting experts will be in touch.