This is the million-dollar question for Defense Industrial Base (DIB) members, isn’t it? Totem has many clients that do not appear to handle (store, process, transmit) Controlled Unclassified Information (CUI), but DFARS 204.7304(c) states that the DFARS 252.204-7012 clause (requirements for the protection of CUI) is to be included in all solicitations and contracts. So the question essentially is “can we ignore this clause and is CMMC then not applicable if we don’t handle CUI?” The answer, like the answers to many questions on the topic of DoD contractor cybersecurity, is: it depends. But this post will help elucidate some of the resources that we DIB members can use to find the answers we need. You can also download a copy of the DoD CIO’s office answers to some Frequently Asked Questions (FAQ) on this topic.
First we need to address the latter part of the question:
When is CMMC not applicable?
This answer is easy: CMMC is always applicable to all DIB members, except for those of us that solely deliver commercial off the shelf (COTS) items. All DoD contracts (except pure COTS) will include the DFARS 252.204-7021 clause that requires adherence with the CMMC, and primes and subcontractors will be required to flow this clause down to all members of the supply chain, whether or not they handle CUI. That’s because CMMC is a layered model, and ALL companies that work in any part of the DoD supply chain handle Federal Contract Information (FCI), which is covered under CMMC Level 1. At a minimum then, in accordance with CMMC Level 1, all DoD contractors will have to self-assess their implementation of the “basic” protections for FCI as called out by the FAR 52.204-21 clause. (Most of these basic protections are “low-hanging fruit”, such as ensuring antivirus is installed and your facilities remain locked. However, other basic protections, such as scanning for vulnerabilities, and logging all entry into the facilities, can be challenging for some small businesses. If you need help with understanding what needs to be done, give us a shout.)
The quote below from the DoD’s CMMC website FAQ page affirms that all DIB companies must perform a self-assessment at least at CMMC Level 1:
Q: Will my organization need to be certified if it does not handle CUI?
A: Contractors are required to safeguard information by inclusion of contract clauses such as FAR 52.204-21 (for FCI) or DFARS 252.204-7012 (for CUI). DoD’s intent under the CMMC program is to require assessment against the required cybersecurity standards (i.e., NIST SP 800-171) only when safeguarding of CUI is required. For some programs or some CUI, DoD will require certification based on assessment by a C3PAO or the Government, rather than relying on a self-assessment. If a DIB company does not process, store, or transmit CUI on its unclassified network, but does process, store or handle FCI, then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
Now, when it comes to CUI and CMMC Level 2/3, the DoD itself has stated in the FAQ above that not all DoD contractors handle CUI. But, as we covered in the first paragraph of this post, all DoD solicitations, contracts, subcontracts, and acquisition documents (except for COTS) are to include the DFARS 252.204-7012 clause (“DFARS 7012” for short) which requires the protection of CUI. And to protect CUI we are expected to implement the NIST 800-171 standard cybersecurity practices (practices are also called “controls”). Implementing 800-171 is no joke. If your small business doesn’t handle CUI, you don’t necessarily want to start on an 800-171 implementation journey (yes, “journey” is the euphemism we use — CUI protection takes a while) if you don’t have to.
So it boils down to this: even if we don’t handle CUI we may still face requirements to protect it, and those protections are time consuming and costly to implement. This is an expensive kind of “chicken and egg” problem. What gives then? How do we avoid then having to abide by the DFARS 7012 clause if we don’t handle CUI? Onward for the answers!
When can we ignore DFARS 7012 and NIST 800-171?
The answer to this dilemma appears to come from the DoD CIO office in their cybersecurity FAQ, question #6 (you can download this FAQ document using the form below):
If performance of the contract does not involve covered defense information or operationally critical support, then the clause does not apply and compliance is not required. If the contract does involve covered defense information, but the information is not processed, stored or transmitted on the contractor’s unclassified information system, the requirements related to covered defense information do not apply and compliance is not required.
You only have to implement the security requirements in NIST SP 800-171 if your contract includes DFARS clause 252.204-7012 AND you are provided covered defense information by DoD (or are developing covered defense information for DoD) AND you are processing, storing or transmitting that covered defense information on your information system/network.
So this appears to be the DoD telling us DFARS 7012 — and by association the NIST 800-171 standard — is not applicable if no CUI is present, especially if the Contracting Officer or customer tells you in writing that no CUI is present and you’ve never seen anything marked “CUI”.
However, the FAQ doesn’t address what a contractor is to do when the DFARS 252.204-7019 / 7020 clauses are in our solicitation / contract / flowdown. An issue arises because these clauses indicate we are to
- self-assess our implementation of NIST 800-171 and report the assessment score to the DoD and,
- prepare to host the government for a verification assessment should they ask to perform one.
DFARS 7019 and 7020 are the clauses that require DoD contractors to submit a Supplier Performance Risk System (SPRS) score. And per the DFARS 204.7304, DFARS 7019 is to be included in all solicitations (e.g. RFI and RFP), while 7020 is to be included in all solicitations, contracts, task orders, and delivery orders (except for COTS). And, just as with DFARS 7012, the DFARS 7020 is required to be “flowed down” the supply chain by being included in all subcontracts and acquisitions. So 3rd, 4th, 5th tier suppliers and vendors in the DIB will see this requirement.
If we have either of these clauses present, but 7012 is considered not applicable based on the rationale we outlined above, we are in a catch-22: we don’t have to implement NIST 800-171, yet we are required to assess our level of implementation, or allow the government to assess it. Unfortunately it appears there is no scenario in which we can ignore the NIST 800-171 standard altogether (unless we provide COTS items).
Until the DoD CIO addresses this dilemma, the best we can hope for is to open up communication with our customers and get it in writing that we are not required to abide DFARS 7019 or 7020. And we aren’t convinced the customers (prime contractors and DoD contracting officers) understand the situation well enough to make those types of determinations. Alas.
In lieu of DoD CIO guidance on this situation, if you’re faced with DFARS 7019 / 7020 or other SPRS scoring requirements but don’t handle CUI, we can help. Check out our Workshop on this subject. In an hour and a half you’ll leave the Workshop with all the tools you need to satisfy the requirements of those clauses, and understand better if you truly don’t need to worry about NIST 800-171.
To reiterate however, there is no scenario (except for COTS) where CMMC is not applicable. All DIB members will have to meet at least CMMC Level 1 for the protection of FCI.
Clear as mud? No worries, we are happy to chat about this with you, just reach out and we’ll schedule a meeting. Or attend our DFARS / NIST / CMMC Workshop where we break all this down in detail. Meanwhile,
Good Hunting!
–Adam
