Source: Barbara Wert, Sr. Regulatory Compliance Specialist

Introduction

Immediate action towards compliance to handling Federal “Controlled Information” (CI) is required for Government contractors and subcontractors who wish to be eligible for Department of Defense (DoD) contracts issued after November 30, 2020.  While there are numerous articles, blogs, and offers of consultation services surrounding the recent FAR, DFARS, and CMMC notices, this blog merely lays out a suggested plan of action for fellow subcontractors trying to keep up with all of the changes and timelines.

Briefly, here it is:

  • Assess your organization’s compliance to the 110 security controls in NIST SP 800-171;
  • Create a System Summary Plan (SSP) and Plan of Action and Milestones (POAM) to indicate your organization’s expected date of 100% compliance to the entire set of controls;
  • Prepare an official Assessment and upload it to the Supplier Performance Risk System (SPRS) no later than November 30, 2020.
  • Decide on appropriate CMMC level your organization should certify to, and outline those requirements
  • Complete implementation of CMMC requirements and schedule audit

The Legislation

Here is a quick summary of the various rules and notices published over the past years relating to the handling of Federal Controlled Information, with links to key documents.

Please note that the requirements addressed herein are not exclusive of other requirements specified by Federal agencies and departments.  Furthermore, readers should study, in entirety, each piece of legislation, for complete details of the requirements therein.

  1. 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems

Introduced in 2016, Federal Acquisition Regulation (FAR) 52.204-21 lists fifteen security controls required, at a minimum, for protecting covered Federal information (“Controlled Information”, or, “CI”) housed on a contractor or subcontractor’s information system.  The clause includes a flowdown requirement.

What it is:The link:
The Clausehttps://www.acquisition.gov/far/52.204-21-0
Federal Register – Summary and Supplemental Informationhttps://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems
  • 48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting

This section of the Defense Federal Acquisition Supplement (DFARS) outlines requirements for “unclassified information systems owned, or operated by or for, a contractor and that process, store, or transmit covered defense information”. 

Section (b)(2) of this clause puts covered contractor information systems “that are not part of an IT service or system operated on behalf of the Government” in scope of the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.

Additionally, 252.204-7012 includes a requirement for rapid cyber-incident reporting.

Government contractors and subcontractors were required to be compliant with 252.204-7012 as of December 31, 2017.

Helpful links
The Clausehttps://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
CUI Registryhttps://www.archives.gov/cui/registry/category-list
NIST SP 800-171 Rev2https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST SP 800-171Ahttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171A.pdf
NIST Handbook 162https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
Cyber-Incident Reportinghttps://dibnet.dod.mil
Obtaining MSA certificatehttps://public.cyber.mil/eca/
  • 48 CFR § 252.204-7019 – Notice of NIST SP 800-171 DoD Assessment Requirements (DFARS Case 2019-D041)

Published in late September 2020, this clause introduces an “assessment methodology” for contractor compliance to NIST SP 800-171 controls.  Contractors and subcontractors must have a current assessment of compliance to NIST SP 800-171 available on the Supplier Performance Risk System (SPRS) by November 30, 2020, in order to be eligible for consideration of a DoD contract award after that time.

Helpful links
Federal Register – Summary and Supplemental Informationhttps://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
SPRS https://www.sprs.csd.disa.mil/
  • 48 CFR § 252.204-7020 – Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

This new DFARS clause “requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment”.  Additionally, the clause requires contractors to ensure that applicable subcontractors have results of a current DoD Assessment (“Basic”, “Medium” or “High”) uploaded to SPRS prior to subcontract award.

Flowdown of this clause to subcontractors is required.

Helpful links
Federal Register – Summary and Supplemental Informationhttps://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
  • 48 CFR § 252.204-7021 – Cybersecurity Maturity Model Certification Requirements

CMMC, a third-party certification, has been a “buzz word” for many months, and this clause introduces the requirement into DoD contracts in a phased rollout between now and September 30, 2025.  While CMMC is not an immediate concern for the majority of Government contractors and subcontractors, it is not too early to start mapping your organization’s road towards the certification.

The model includes requirements from a number of publications, including,  FAR 52.204-21, NIST SP 800-171, Cybersecurity Framework (CSF), CERT-RMM Version 1.2, CIS Controls, AU ACSC Essential Eight, UK NCSC Cyber Essentials.

The CMMC Accreditation Body, established in early 2020, leads the effort towards establishing curriculum, training, and third-party assessors to conduct audits.

Helpful links
CMMC v1.02https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
CMMC Accreditation Bodyhttps://www.cmmcab.org/
NIST Cybersecurity Framework (CSF)https://www.nist.gov/cyberframework

Conclusion

If you have not started on the road to implementing controls for handling Controlled Information, do not wait another day!  Deadlines are looming, assessments and plans are needed, and compliance is required for future DoD contract awards!