Interim Final Rule Assessing Contractor Implementation of Cybersecurity Requirements – DFARS Case 2019-D041

DOD contractors need to self-assess cybersecurity readiness by November 30, 2020, or risk loss of funding.

The DOD enlists contractors and subcontractors in greater cybersecurity.

The theft of intellectual property and sensitive information due to malicious cyber activity threatens the USA’s national and economic security. In fact, over a 10-year period, it’s estimated to cost up to $1.1 trillion.

To counteract this issue, the DOD has released a number of clauses, rules, and standards over the last decade. Basically, their goal is to ensure that all contractors and subcontractors have cohesive, compliant processes and systems in place to safeguard covered defense information (CDI) and controlled unclassified information (CUI).

On Sept. 29, 2020, the Department of Defense (DOD) issued an interim rule, Assessing Contractor Implementation of Cybersecurity Requirements, that implements its “Cybersecurity Maturity Model Certification” (CMMC) program.

Effective November 30, 2020, the rule will apply to all DOD contracts and subcontracts for the acquisition of commercial items and to acquisitions valued at or below the simplified acquisition threshold.  The provision and clauses will not be applicable to contracts or subcontracts exclusively for the acquisition of commercially available off-the-shelf items.

The security requirements and assessment methodologies of both the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and the Cybersecurity Maturity Model Certification (CMMC) framework will be used by the DOD to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.

What is the Cybersecurity Maturity Model Certification (CMMC)?

The CMMC details the methodology and framework necessary to assess contractor implementation of cybersecurity requirements. It lays out the policies and procedures for awarding a contract or exercising an option on a contract between November 30, 2020 and November 20, 2025.

• It requires contractors to achieve a CMMC certificate at the level specified in the solicitation at the time of the award. There are five certification levels, each with increasingly stringent cybersecurity safeguarding requirements. Level 1 is “Basic Cyber Hygiene,” level 5 is “Advanced/Progressive.”
• Contractors must maintain a current (no more than three years old) CMMC certificate at the specified level throughout the life of the contract or task or delivery order.
• Contracting officers are prohibited from exercising an option period or extending the period of performance on the contract, task or delivery order to a contractor that does not have a current CMMC certification at the required level.
• CMMC certification will be identified in the Supplier Performance Risk System (SPRS) and contracting officers are required to verify an offeror or contractor’s CMMC level in the system.

By October 1, 2025, all entities receiving DOD contracts and orders, other than those exclusively for commercially available off-the-shelf items or those valued at or below the micro-purchase threshold, will be required to have the CMMC Level identified in the solicitation, at a minimum, CMMC Level 1 certification. Large and small businesses will be required to renew their certification every three years. 

Posting cybersecurity compliance and why it matters.

DFARS clause 252.204-7020, DOD Assessment Requirements, requires DOD contractors to immediately post assessments of their cybersecurity compliance on the DOD’s SPRS.

By posting, you demonstrate compliance and that you are a valid contractor for DOD funding and contracts. This is critical to new awards and to extending existing ones.

Bottom line:  No Assessment – No Award

Subcontractors must post as well.

Prior to awarding a subcontract, prime contractors must ensure that the subcontractor has a current DoD Assessment posted in SPRS. This Assessment must have been completed in the last three years.

Subcontractors at all tiers should be aware of this requirement and ensure compliance to maintain eligibility for awards.

If a subcontractor does NOT have summary level scores of a current NIST SP 800-171 DOD Assessment posted in SPRS, they may conduct and submit a Basic Assessment to DOD for posting to SPRS along with the information required by paragraph (d) of the clause.

What DOD SBIR contractors and subcontractors need to do. Now.

1. Write a security plan. This can take one of two tracks:
   1. Download a template as projectspectrum.io , or
   2. Find a reputable cybersecurity consultant who is well-versed in CMMC and contractor-compliance.
2. Use the NIST 800-171 DOD Assessment Methodology scoring template to self-assess your security plan.
3. Register with the Supplier Performance Risk System (SPRS) and report your score on the self-assessment. This needs to be done by December 1, 2020.
4. Make sure your subcontractors are paying attention to this ruling and are taking the necessary steps to comply.

If you have any questions about this issue or any other issue with your DOD cost-reimbursable contract, please fill out the form below and one of our government contract accounting experts will be in touch.