Introduction to and Explanation of the Proposed DFARS Interim Rules
In a proposal published in the Federal Register, the DoD has outlined three new DFARS cybersecurity rules it wants to add as clauses to the DoD Federal Acquisition Regulation Supplement (DFARS, the DoD contracting rules):
- 204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
- 204-7020: NIST SP 800-171 DoD assessment requirements
- 204-7021: Contractor Compliance with The Cybersecurity Maturity Model Certification Level Requirement
An important note is that the DFARS 252.204-7012 (DFARS 7012) clause will stay intact. DFARS 7012 requires contractors that process, store, and/or transmit DoD-related Controlled Unclassified Information (CUI) to implement two things:
- A cybersecurity program that meets the standard of the National Institutes of Standards and Technology Special Publication (NIST SP) 800-171
- A cybersecurity incident response and reporting capability
The new DFARS cybersecurity rules, once approved, will supplement DFARS 7012 and can be added as clauses in contracts between the DoD and its supply chain vendors. Here’s a brief description of each one of these rules.
252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
The DFAR Interim Rule gives notice to contractors that process CUI of the requirements for assessment of contractor’s cybersecurity programs against the DoD 800-171 Assessment Methodology. To be considered for contractor award (or to be part of the subcontractor team to execute the contract) the contractor at a minimum must:
- Perform a Basic level assessment
- Submit the following information through the Supplier Performance Risk System (SPRS) or via email to [email protected]:
- System security plan name
- CAGE codes supported by this plan
- Brief description of the plan architecture
- Date of assessment
- Total score
- Date score of 110 will achieved
We have detailed the 800-171 Assessment Methodology and scoring system in this blog, which has a free tool for you to conduct a Basic assessment.
The DFARS Interim Rule details and describes in further detail the Basic, Medium, and High assessments and score reporting requirements. Contracting Officers are instructed to review SPRS for current contractor assessment scores prior to contract award.
Here’s a quick description of each of the confidence-level assessments:
Basic—a self-assessment performed by the contractor against the 800-171 Assessment Methodology. You start with a score of 110 and subtract points for each of the 110 NIST SP 800-171 controls you have not yet fully implemented. Some controls are worth more than one point, so you can end up with a negative score. You must have a System Security Plan (SSP, the “blueprints” for your cybersecurity program) in place to perform the assessment.
Medium—DCMA does an off-site review of your SSP to verify your Basic assessment score
High—DCMA conducts an in-depth off- or on-site assessment of your entire cybersecurity program, utilizing the assessment objectives published in NIST SP 800-171A.
252.204-7020: NIST SP 800-171 DoD Assessment Requirements
Contractors must maintain a current score in the SPRS, meaning the assessment can be no more than three years old. To get access to the SPRS website, your organization unfortunately has to jump through some hoops:
- Have a CAC card or an ECA certificate. We have instructions on how to obtain an ECA certificate in this blog.
- Setup a workstation according to these instructions for accessing the PIEE site: https://piee.eb.mil/xhtml/unauth/web/homepage/machineSetup.xhtml
- Install the latest 32-bit JRE (32-bit is important): https://www.java.com/en/download/win10.jsp
- Use the Configure Java tool and add this site in the Security tab Exception Site List: https://piee.eb.mil
- Browse to https://piee.eb.mil in Internet Explorer (Internet Explorer is important!) and click Register from top right, then follow the instructions here: https://www.sprs.csd.disa.mil//pdf/PIEE-NonGovInstructions.pdf. NOTE: you’ll need your organization’s CAGE code to register
- Once you are into SPRS, you’ll need to follow the instructions described here: https://www.sprs.csd.disa.mil/pdf/NISTSP800-171QuickEntryGuide.pdf. NOTE: heed the instructions and screenshots that once you click the NIST SP 800-171 Assessment link in SPRS, you’ll need to “create a header” in the reporting interface to actually be able to report your score.
The Basic assessment generates what the DoD considers a “Low” confidence assessment score. This rule goes on to explain that the DoD, through the Defense Contractor Management Agency (DCMA), may conduct higher confidence assessments (“Medium” or “High” confidence) and post the scores in SPRS.
252.204-7021: Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
The DFARS Interim Rule requires contractors to have a current (no older than three years) Cybersecurity Maturity Model Certification (CMMC) at the Maturity level designated by the contract. If you’d like to know more about the CMMC, we have multiple blogs detailing the Model and how to approach implementation.
Proposed DFARS Interim Rule's timeline and impact to small business DoD contractors
The proposed DFARS cybersecurity rule changes may go into effect as early as December 2020. This means that the DoD could include these three clauses into new Requests for Proposals (RFP) and contracts starting in December 2020. Let’s look at the impact of the three clauses on small business contractors.
DFARS 7019/7020—The DoD 800-171 Assessment Methodology
The DoD 800-171 Assessment Methodology has actually been around since November 2019, as has the requirement for contractors to perform Basic assessments and submit scores to the SPRS. But this requirement was not widely circulated and was not explicitly written into contracts, so it hasn’t been widely executed. Once DFARS 252.204-7019 and 7020 are finalized, all of us DoD contractors should expect to have to perform the Basic assessment and submit our scores to the SPRS sooner than later. This Assessment Methodology may serve as a stop gap while the DoD phases in the CMMC, which will hold contractors fully accountable for securing the Federal Contract Information they manage.
The DoD estimates a three-year phase in of clauses 7019/7020 into new contracts, requiring 8,800+ of us small businesses each year to perform Basic assessments. It also estimates DCMA will conduct as many as 148 Medium and 81 High confidence assessments annually on small business DoD contractors. The DoD estimates that to calculate a Basic assessment score and report the required information to SPRS will take a small business less than one hour and $100 in labor costs. These estimates assume if we process CUI (bearing in mind that the DoD has done an awful job following its own policy and explicitly identifying the CUI we may process) and have DFARS 7012 in our contract, we have already implemented the safeguards spelled out in 800-171. Obviously, an assessment of compliance with each 800-171 control will take some time, but we are already expected to have done this. The estimate above is simply to calculate and report a score.
Supporting DCMA Medium confidence assessments will burden the contractor more, and High assessments will put quite a strain on small businesses. The following image is lifted from the rule publication and details the estimated resource burden on small businesses to support each type of assessment:
DFARS 7021—The CMMC
The proposed DFARS 7021 cybersecurity rule will require DoD contractors to have a current (within the last three years) CMMC certification prior to contract award. This means that we can respond to RFP without a CMMC certification, but we’ll have to have the certification in place before we start executing the contract. Unlike DFARS 7012/7019/7020, CMMC certification will be required of ALL DoD contractors, regardless of whether we process CUI or not. Every DoD supplier or vendor, even waste management and lawn maintenance service providers, will have to have at least a CMMC Level 1 certification.
The CMMC Assessment Methodology is currently being developed by the CMMC Accreditation Body (“CMMCAB”, cmmcab.org). The CMMCAB currently has a cadre of “Provisional Assessors” developing the methodology by assessing a set of “pathfinder” programs/projects. The CMMCAB’s own timeline does not anticipate being able to execute CMMC assessments before Winter/Spring 2021, much less issue certifications based on those assessments. It is therefore hard to conceive that the DoD would insert the DFARS 7021 clause into contracts in 2020, and it will be Q1 2021 at the earliest before any of us start seeing CMMC required by new contracts. For many of us small business contractors, it may be years before we see CMMC requirements in a contract. The table below shows how many of the estimated 163,000+ small business DoD contractors are affected each year during the planned 7-year phased inclusion of CMMC clause in contracts:
You can see also from this table that the DoD estimates ~60% of small business contractors will only need a CMMC Level 1 cert. The rest of us process the more sensitive CUI in some form, and the majority of us CUI processors, or ~30% overall, will need a CMMC Level 3 cert. CMMC Levels 4 and 5 are reserved for a very small subset of contractors (e.g. large primes) that face advanced level adversaries.
Now, the really staggering part of the CMMC impact is support time and assessment fees. The table below shows the DoD’s estimate of annual costs to support a CMMC assessment at the various levels:
Keep in mind that these estimates are for assessments ONLY. The DoD assumes we’ve all been doing what has already been required of us and implementing the basic FAR 17 and/or the NIST 800-171 safeguards. (Additionally, we are no longer afforded the Plan of Action and Milestones (POA&M) to show planned implementation; all safeguards must be fully implemented at the time of assessment.) So, those of us who will need a CMMC Level 3 certification can expect to pay $60,000 annually just for CMMC assessments! (We’ll only need an assessment once every three years, but we’ll have to maintain our system and the safeguards may change during those three years) Part of the assessment cost is to pay for the assessor’s time, but another part is what your organization will have to pay your internal staff to support the assessment. The DoD estimates for the latter it will take three of your senior people 64 hours each to support the assessment.
I think you can see the CMMC is going to be a huge burden on small businesses. The DoD has indicated that CMMC certification is going to be an “allowable, reimbursable cost”, but the DFARS Interim Rule makes no mention of how the DoD plans to reimburse us for the cost of assessment/certification.
It’s also not clear from the proposed cybersecurity rule how the DoD 800-171 Assessments and CMMC will work together, or if we could potentially be delivered contracts with both sets of clauses included. However, Katie Arrington, CISO of the Undersecretary of Defense Office of Acquisition and Sustainment, and DoD head of the CMMC program hinted in a LinkedIn post that there would be “reciprocity” between DCMA High level assessments and CMMC Level 3. The bottom line for her was that the “government does not want to pay twice for auditing [assessment] work.” To me, this indicates the government is preparing to pay for the assessments and certifications, or at least reimburse us for them, which is good news.
DoD's NIST 800-171 Assessment Methodology
We’ve developed a basic scoring worksheet based on the DoD’s Assessment Methodology available for download (check below). We’ve translated the 110 controls into layman’s terms, in the form of a single question for each control. To use the worksheet, work your way through answering “Yes” or “No” to each question, indicating if your organization is compliant (Yes) or non-compliant (No) with the control. Questions answered “No” have the DoD’s weighted value subtracted from 110. This worksheet will score your current cybersecurity program against the NIST 800-171 controls.