New DFARS Requirements Effective November 30, 2020—Are You Ready?
On November 30, 2020, changes to the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity regulations will require that Department of Defense (DoD) contractors and subcontractors complete and submit a cybersecurity assessment to be eligible for new DoD contracts or new options under existing contracts.
The DoD announced these significant changes on September 29, 2020, which didn’t give contractors and subcontractors much time to prepare. In this blog, we’ll outline the key elements of these new regulations and what you need to do to ensure you’re ready to compete for new DoD business.
New DFARS Requirements
On September 29, 2020, the DoD announced DFARS changes —effective November 30, 2020—to improve the protection of CUI used in contractor information systems. The changes described in this blog are introduced via the following new DFARS rules clauses:
DFARS 252.204-7019, Notice of NIST SP 800-0171 Assessment Requirements
DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
DFARS 204-7021, Cybersecurity Maturity Model Certification Requirements
Under the new regulations, a NIST SP 800-171 assessment must be completed on each contractor or subcontractor that will be handling CUI. Each assessment will be assigned a numerical point score using a new scoring system defined by the DoD.
Contractors are still required to have an SSP and plans of action for NIST SP 800-171 requirements that have not yet been implemented.
NIST SP 800-171 Assessment scores for contractors that have not implemented all NIST requirements will be lower than scores for contractors that have implemented all requirements. The regulation changes will provide the DOD with a comprehensive list of those contractors with all of the controls in place and those still working to implement the existing requirements.
To be eligible for new DoD contracts, all contractors and subcontractors that will be handling CUI must file with the DoD a NIST SP 800-171 Assessment that was performed within three years of the date a contract is awarded.
Assessment Levels
The new DFARS regulations define three levels of NIST SP 800-171 Assessments: Basic, Medium, and High, which reflect the depth of the assessment performed and the level of confidence in the score resulting from the assessment.
Basic Assessments
All contractors will be required to complete a Basic Assessment, which is a self-assessment performed by the contractor. A Basic Assessment is based on the contractor’s review of their SSP and plans of action. After completing the assessment, contractors must provide the DoD with the resulting point score and summary level information about their SSP and plans of action for NIST SP 800-171 requirements that have not yet been implemented.
Because these assessments are performed without DoD involvement, the DoD assigns a “Low” confidence level to the contractor’s self-generated score.
Medium Assessments
Medium Assessments will be performed by DoD Assessors. Contractors must provide these assessors with access to their facilities and personnel if necessary. A Medium Assessment consists of:
A review of a contractor’s Basic Assessment
A thorough document review
Discussions with the contractor to obtain additional information or clarification, as needed
The DoD will calculate the point score for these assessments.
The DoD assigns a confidence level of “Medium” to these assessments.
High Assessments
High Assessments will also be performed by DoD Assessors. Contractors must provide these assessors with access to their facilities and personnel if necessary. A High Assessment consists of:
A review of a contractor’s Basic Assessment
A thorough document review
Verification, examination, and demonstration of a contractor’s system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan
Discussions with the contractor to obtain additional information or clarification, as needed
The DoD will calculate the point score for these assessments.
The DoD assigns a confidence level of “High” to these assessments.
Number of DoD Assessments
It is expected that Medium and High Assessments will be conducted on a relatively small number of contractors each year, based on the DoD’s capacity to conduct these assessments. The DoD will have discretion to determine which contracts require Medium or High Assessments.
Assessment Scoring
The assessment scoring methodology examines how each of the 110 NIST SP 800-171 security controls have been implemented and uses a weighted scoring approach to assess the risk resulting from a contractor’s failure to implement all of the required controls. Contractors that have implemented all of the NIST controls will receive a maximum score of 110 points. The weighted scoring system is used to deduct points for security controls that have not yet been implemented. Controls that are deemed to have a greater impact on overall security risk are given a higher weighting.
Subcontractor Compliance
Contractors are required to “flow down” the DoD assessment requirements to their subcontractors that will be handling CUI. These flow down requirements affect the entire DIB which is why over 300,000 companies are affected by these requirements.
CMMC
The DFARS changes announced on September 29, 2020 are an interim step on the road to full adoption of the DoD’s Cybersecurity Maturity Model Certification (CMMC), which will ultimately raise the bar for security of DoD contractors. It is expected that CMMC will be fully rolled out to the DIB by October 1, 2025.
The CMMC framework builds on the NIST SP 800-171 Assessment Methodology by adding a comprehensive and scalable certification element to verify the implementation of processes and practices associated with achievement of a security level. CMMC is intended to give the DoD increased assurance that a contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and CUI at a level commensurate with the risk.
CMMC includes maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references (see table below). The CMMC Maturity Levels and associated sets of processes and practices are cumulative.CMMC LevelDescription1Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.2Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.3Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.4Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.5Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.
While this may sound intimidating, the good news is that by fully complying with the 110 requirements of NIST SP 800-171, you will have met 85% of the requirements for CMMC Maturity Level 3.
CMMC assessments will be conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs).
DoD RFPs and RFIs will include the CMMC Maturity Level required of contractors wishing to bid on the contract.
Prior to October 1, 2025, when CMMC certification will be required for all DoD contracts, the DoD will identify candidate contracts that will include the CMMC requirement in the statement of work, including specific certification level.
Additional Information
Additional information on the DFARS changes that will be effective November 30, 2020 is available here. Additional CMMC information and a copy of the CMMC model is available here.
Now is the Time to Prepare
If you haven’t already done it, now is the time to prepare for the November 30, 2020 DFARS changes. Here’s a checklist of things you’ll need to do:
Make changes to your environment to bring it into compliance with all of the 110 NIST SP 800-171 security requirements. The more of these you can meet, the higher your assessment score will be, which will likely improve your odds of getting DoD contracts.
Develop and maintain a System Security Plan (SSP) that documents the system architecture and level of implementation for each of the required NIST controls.
Develop a Plan of Action and Milestones (POAM) describing the actions that you will take to fully implement each control and the expected completion date for each action.
Conduct a NIST SP 800-171 self-assessment using the DFARS methodology.
Compute a self-assessment score based on your self-assessment.
Submit the required materials to the DoD. Here are sites you’ll need to access to submit the materials:
Review the Supplier Performance Risk System (SPRS) Awardee User Guide for instructions on how to upload and submit 800-171 assessments.
Request access and role assignment via the Procurement Integrated Enterprise Environment (PIEE). Note: include SPRS as a role within your account.
Access the Supplier Performance Risk System (SPRS) to submit your materials.
If they don’t already have one, contractors also need to have a CAGE code assigned to their company, which is issued by the Defense Logistics Agency.
If you plan to partner with subcontractors to bid on DoD contracts, work with them to ensure they complete the same steps.
More detailed information on the process and methodology for performing a NIST SP 800 self-assessment is available here.
Completing this self-assessment will not only ensure you are eligible for DoD contracts that require a Basic Assessment but will also prepare you for any contracts for which the DoD Assessors will be performing a Medium or High Assessment.
Once you’ve completed these steps, consider taking additional steps to prepare your environment for CMMC certification by a C3PAO. This will prepare you for contracts that may require this level of certification in the future. You’ve got a little more time to get this done, but you’ll want to get moving on this before too long if you plan to continue DoD contract work in the coming years.
We Can Help
If you have questions about the recent DFARS changes or would like help preparing for a NIST SP 800-171 Assessment or CMMC Certification, our team of security specialists can help. Just give us a call at (808) 861-9595 or email us at sos@cylanda.com.
Comments