DoD’s new interim rule twist for CMMC
The loss of controlled unclassified information (CUI) is a significant and costly problem for DoD. Upon assessing DoD contractor self-certifications and realizing that only 36% of certain contractors demonstrated the implementation of all 110 outlined by NIST SP 800-171 security requirements, new guidelines provide a clause allowing the government to formally assess defense contractor cybersecurity. Find out what else has some defense contractors worried about this new interim rule.
DoD’s new interim rule twist for CMMC
Cyber-criminal efforts have recently increased in size and sophistication, costing the global economy $2.9 million per minute, for a total of $1.5 trillion in 2018. Unfortunately, by 2021 these projections are expected to reach $6 trillion.
As a result of increased risks and a lack of uniform security, the Department of Defense (DoD) insists on improving the Defense Industrial Base (DIB) sector's cyber resiliency and security by initially developing a two-pronged approach intended to be rolled out next year. This proposed approach was to not only assess but also verify a contractor's ability to protect the controlled unclassified information (CUI) on their information systems and includes:
- compliance assessment using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 known as NIST 800-171;
- certification under the CMMC Framework.
According to the Defense Federal Acquisition Regulation Supplement released, after several DIB-involved cyber incidents, the DoD conducted High Assessments only to find 36% of those contractors had implemented all 110 of the NIST SP 800-171 security requirements.
A new interim rule imposes new and surprising assessment obligations that allow the DoD to write clauses into RFPs requiring that defense contractors achieve CMMC to bid on all DoD contracts beginning November 30, 2020.
For Your Information: CMMC is the five-level cybersecurity maturity model. All defense contractors will need to receive a CMMC Third-Party Assessor Organization (C3PAO) assessment and certification from the CMMC Accreditation Body (CMMC-AB) before they can be awarded work on DoD contracts.
Defense contractors expected this ruling to provide clear guidance concerning DoD's Cybersecurity Maturity Model Certification (CMMC) framework but instead focuses on contractors complying with all 110 security controls in the NIST 800-171.
Attend Coffee and Conversation Tuesday, October 27th at 11:00 AM, as FutureFeed CEO and a Cybersecurity Maturity Model Certification Accreditation Board Founding Director Mark Berman discusses these updates and how they affect you.
What does this mean for you?
As published, this DFARS rule is an interim rule that brings CMMC into contractual reality much earlier for defense contractors. Some will only be required to reach minimal cyber hygiene requirements included in 'Level 1' certification, but other large prime contractors may be required to test each of their individual networks through multiple assessments instead of an all-inclusive evaluation of their organization.
Sign up for our newsletter and stay up-to-date with the latest DFARS and CMMC information.
While some contractor's CMMC certification was thought to be required in RFQs and RFPs over the next five years, this interim rule will affect hundreds of thousands of contractors as early as next month. Further, the rule hasn't made clear who will make the final determination on the level each contractor or subcontractor needs to have. CMMC's substantive implementation was supposed to be controlled by the CMMC-AB, the entity responsible for assessing the ecosystem's training, development, and quality control.
But for many contractors, especially those deemed low-risk, this interim rule outlines that they will be responsible for self-certification, performed every three years. For medium and high-risk contractors, a DoD entity will certify compliance with NIST 800-171, largely dependent on the defense contractor's possession of CUI. Some defense contracting organizations, such as universities that perform unclassified research, have requested waiver accommodations to the interim rule.
A surprising aspect of this interim rule was the continuation of self-certifying processes when CMMC-AB intended to eliminate self-certification for a more uniform protection posture across the DIB. Now, a dual-track certification system applies where some contractors remain responsible for self-certification to comply with 800-171 but these organizations will eventually undergo a CMMC-AB certification to review compliance with CMMC Level 1.2. If CMMC-AB finds gaps in their official assessment compared to a company's self-assessment, there will be problems for the contractor.
Don't get caught, schedule a gap assessment with an award-winning team.
The prime contractor appears to assess and ensure each subcontractor's required level. It's not explicit whether the DoD will play a role, meaning defense contractors need to follow the rule as it is written, knowing it could change over time.