The CMMC Interim Rule: Bridging the Gap from DFARS to CMMC
BACKGROUND
In an attempt to mitigate vital data loss from cyber-attacks targeting its 300,000 contractors, the Department of Defense in 2017 launched the Defense Federal Acquisition Regulation Supplement (DFARS) to improve the cybersecurity readiness of all sizes of contractors throughout the Defense Supply Chain (DSC). The program was based on compliance with the NIST 800 171 security control framework and was specifically intended to protect the Controlled Unclassified Information (CUI) that was specified in contract terms, statements of work, and other documentation being generated and/or stored by defense contractors in the fulfillment of DoD contracts.
The initial implementation of DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, required defense contractors to self-assess and document their compliance to the 110 security controls proscribed in NIST 800 171, create a Plan of Action and Milestones (POAM) listing the non-compliant exceptions, and to report their compliance score in the Supplier Performance Risk System (SPRS). An assessment was valid for three years, and the DoD required all contractors to have a current SPRS score on file before a contract could be awarded.
LESSONS LEARNED
Since then, the increased frequency of cyber-attacks, especially advanced persistent threats from rival nation-states, has prompted the DoD to re-evaluate its cybersecurity improvement program in order to provide greater protection for CUI throughout the DSC. In addition, they discovered two major shortcomings of the DFARS 7012 implementations: the self-assessments were allowing contractors too much latitude in grading the readiness of their security controls, and the POAM allowed contractors too much latitude in declaring that non-compliant security controls would be fixed in the future.
The solution was the development and launch of the Cybersecurity Maturity Model Certificate (CMMC) Framework in November of 2020. The CMMC Framework has five maturity levels that are also based, more or less, on the NIST 800 171 security control framework along with some added maturity practices to ensure that contractors aren’t simply ticking the box on a government-required checklist and are instead fundamentally improving the way in which they implement data protection.
CMMC VS. DFARS
The CMMC program eliminates self-assessments by requiring contractors to hire Certified Third-Party Assessors (C3PA’s) to examine documentation, interview contractor personnel, and test security controls. CMMC also eliminates POAMs. To be CMMC compliant, a contractor must prove CMMC Compliance with all the security controls and practices required for the CMMC maturity level certification they are seeking, and can no longer defer compliance to a later date.
WHY THE INTERIM RULE?
The jump from a DFARS Clause 7012 self-assessment with the added latitude to document non-compliances and fix them later to the strict Pass/Fail certification from a third-party assessor is a substantial one… especially for smaller contractors who don’t typically have a security staff and for any contractor who previously gave themselves a generous SPRS score.
To make the transition from DFARS to CMMC easier, the DoD instituted the Interim Rule to essentially add a couple of intermediate steps to help contractors ramp up their cyber maturity to a level required for CMMC certification. The new contract clauses DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, describe the assessment process, and the latter clause requires contractors to provide the government access to its facilities, systems, and personnel when higher-level reviews are required. Both clauses are to be included in all solicitations and contracts after November 30, 2020, including those for commercial items, unless solely Commercial Off The Shelf (COTS) products are involved.
THE INTERIM RULE STEPS: CLAUSES 7019, 7020, and 7021
DFARS Clause 7019 further requires contractors to supply information on each system being assessed, including system security plan name, CAGE code, network architecture, date of assessment, SPRS score, and date by which a perfect score of 110 will be achieved.
DFARS Clause 7020 introduces the requirement to have the System Security Plan (SSP) assessed by a government inspector either remotely (Medium Assessment), or on-site (High Assessment), as well as introducing a flow-down provision requiring all subcontractors (except COTS) to obtain the same level of certification.
DFARS Clause 7021 is CMMC. All security controls and practices required for a specific CMMC maturity level (1-5) must be fully implemented and confirmed by a C3PA in order to obtain CMMC certification for that level.
WHERE TO FROM HERE?
The DoD understands the substantial effort it is requiring of the defense contractor community to make these security improvements and has adopted a “Crawl, Walk, Run” mantra in its planning.
In the calendar year 2021, only 15 contracts will be governed by CMMC… affecting roughly 1500 prime and sub-contractors. That number increases to 75 contracts in 2022 and 250 contracts in 2023. The CMMC Compliance deadline at any level is September of 2025 in order to be awarded a DoD contract. All other DoD contracts (not governed by CMMC checklist requirements) will continue to be enforced by the DFARS provisions with contracts only awarded to contractors who have an SPRS score submitted in the past three years.
The CMMC Accreditation Board (CMMC-AB) lists Certified Third Party Assessment Organizations (C3PAO’s) that you can contact to hire a C3PA. The CMMC-AB also lists on its website (cmmcab.org in the CMMC Market Place) CMMC Registered Practitioners who are trained in the CMMC process and can help Organizations Seeking Compliance (OSCs) prepare for their CMMC Assessment/Certification.
The specific DFARS or CMMC level required for a given contract will be dictated by the sensitivity of the CUI involved.
To learn more about the interim rule and how it can impact your business, schedule a free consultation here.
