Source: Barbara Wert, Sr. Regulatory Compliance Specialist
Introduction
Immediate action towards compliance to handling Federal “Controlled Information” (CI) is required for Government contractors and subcontractors who wish to be eligible for Department of Defense (DoD) contracts issued after November 30, 2020. While there are numerous articles, blogs, and offers of consultation services surrounding the recent FAR, DFARS, and CMMC notices, this blog merely lays out a suggested plan of action for fellow subcontractors trying to keep up with all of the changes and timelines.
Briefly, here it is:
- Assess your organization’s compliance to the 110 security controls in NIST SP 800-171;
- Create a System Summary Plan (SSP) and Plan of Action and Milestones (POAM) to indicate your organization’s expected date of 100% compliance to the entire set of controls;
- Prepare an official Assessment and upload it to the Supplier Performance Risk System (SPRS) no later than November 30, 2020.
- Decide on appropriate CMMC level your organization should certify to, and outline those requirements
- Complete implementation of CMMC requirements and schedule audit
The Legislation
Here is a quick summary of the various rules and notices published over the past years relating to the handling of Federal Controlled Information, with links to key documents.
Please note that the requirements addressed herein are not exclusive of other requirements specified by Federal agencies and departments. Furthermore, readers should study, in entirety, each piece of legislation, for complete details of the requirements therein.
- 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
Introduced in 2016, Federal Acquisition Regulation (FAR) 52.204-21 lists fifteen security controls required, at a minimum, for protecting covered Federal information (“Controlled Information”, or, “CI”) housed on a contractor or subcontractor’s information system. The clause includes a flowdown requirement.
| What it is: | The link: |
| The Clause | https://www.acquisition.gov/far/52.204-21-0 |
| Federal Register – Summary and Supplemental Information | https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems |
- 48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting
This section of the Defense Federal Acquisition Supplement (DFARS) outlines requirements for “unclassified information systems owned, or operated by or for, a contractor and that process, store, or transmit covered defense information”.
Section (b)(2) of this clause puts covered contractor information systems “that are not part of an IT service or system operated on behalf of the Government” in scope of the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.
Additionally, 252.204-7012 includes a requirement for rapid cyber-incident reporting.
Government contractors and subcontractors were required to be compliant with 252.204-7012 as of December 31, 2017.
| Helpful links | |
| The Clause | https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012 |
| CUI Registry | https://www.archives.gov/cui/registry/category-list |
| NIST SP 800-171 Rev2 | https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final |
| NIST SP 800-171A | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171A.pdf |
| NIST Handbook 162 | https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf |
| Cyber-Incident Reporting | https://dibnet.dod.mil |
| Obtaining MSA certificate | https://public.cyber.mil/eca/ |
- 48 CFR § 252.204-7019 – Notice of NIST SP 800-171 DoD Assessment Requirements (DFARS Case 2019-D041)
Published in late September 2020, this clause introduces an “assessment methodology” for contractor compliance to NIST SP 800-171 controls. Contractors and subcontractors must have a current assessment of compliance to NIST SP 800-171 available on the Supplier Performance Risk System (SPRS) by November 30, 2020, in order to be eligible for consideration of a DoD contract award after that time.
| Helpful links | |
| Federal Register – Summary and Supplemental Information | https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of |
| NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 | https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf |
| SPRS | https://www.sprs.csd.disa.mil/ |
- 48 CFR § 252.204-7020 – Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
This new DFARS clause “requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment”. Additionally, the clause requires contractors to ensure that applicable subcontractors have results of a current DoD Assessment (“Basic”, “Medium” or “High”) uploaded to SPRS prior to subcontract award.
Flowdown of this clause to subcontractors is required.
| Helpful links | |
| Federal Register – Summary and Supplemental Information | https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of |
- 48 CFR § 252.204-7021 – Cybersecurity Maturity Model Certification Requirements
CMMC, a third-party certification, has been a “buzz word” for many months, and this clause introduces the requirement into DoD contracts in a phased rollout between now and September 30, 2025. While CMMC is not an immediate concern for the majority of Government contractors and subcontractors, it is not too early to start mapping your organization’s road towards the certification.
The model includes requirements from a number of publications, including, FAR 52.204-21, NIST SP 800-171, Cybersecurity Framework (CSF), CERT-RMM Version 1.2, CIS Controls, AU ACSC Essential Eight, UK NCSC Cyber Essentials.
The CMMC Accreditation Body, established in early 2020, leads the effort towards establishing curriculum, training, and third-party assessors to conduct audits.
| Helpful links | |
| CMMC v1.02 | https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf |
| CMMC Accreditation Body | https://www.cmmcab.org/ |
| NIST Cybersecurity Framework (CSF) | https://www.nist.gov/cyberframework |
Conclusion
If you have not started on the road to implementing controls for handling Controlled Information, do not wait another day! Deadlines are looming, assessments and plans are needed, and compliance is required for future DoD contract awards!