Significant material and reputational risks threaten contractors that have not implemented NIST SP 800-171, as the DoD memorandum states.
With the memorandum introduced on June 16, 2022, the DoD reminded contractors they must continue making progress toward implementing the NIST SP 800-171 control requirements. As evidence, the contractors must post the summary level of their DoD Assessment scores on the Supplier Performance Risk System (SPRS).
The DoD also highlighted the ongoing risks for contractors that have not yet implemented NIST SP 800-171 on the demand of DFARS cybersecurity requirements. Failure to comply could result in the termination of existing contracts or loss of future eligibility for services involving Controlled Unclassified Information (CUI).
Finally, through the memorandum, the DoD is also signaling that contractors cannot wait until the Cybersecurity Maturity Model Certification, or CMMC program, comes into effect in mid-2023. They must act now to implement the relevant cybersecurity requirements to safeguard CUI.
With this article, we will help you sort out the main actions that are likely to be implemented when working with or planning to work with CUI on behalf of DoD and not get in trouble.
The DoD memorandum underscored the importance of complying with DFARS clauses rolled out earlier. These include a series of DFARS clauses addressing the cybersecurity obligations for DoD contractors receiving or generating CUI.
Since Dec. 31, 2017, DFARS 252.204.7012 requires contractors to provide “adequate security measures” to all covered contractor’s information systems that process, store, or transmit CUI by implementing security controls specified by NIST SP 800-171.
Under NIST 800-171, contractors must have a System Security Plan (SSP) detailing how they meet or will meet NIST security requirements. It is important to note that the NIST SP 800-171 compliance version must be current at the time of the contract award. The now-current version is NIST SP 800-171 Rev. 2. It specifies 110 cybersecurity controls spanning across 14 control families.
Suppose contractors do not implement all the 110 controls for one reason or another. In that case, they must explain how and when any unimplemented control will be implemented in their Plans of Action and Milestones, or POAMs.
Frankly speaking, the process of implementing the DFARS 252.204.7012 cybersecurity requirements was lagging. This is because it did not provide a specific assessment mechanism. To respond to this issue, the DoD introduced a new assessment process and the CMMC framework in September 2020.
DFARS 252.204-7019, introduced in September 2020, sets specific requirements for NIST SP 800-171 assessment. The clause outlines the Basic, Medium, and High assessment levels with references to the NIST SP 800-171 DoD Assessment Methodology. The clause obligates contractors to have a current summary level score for a NIST SP 800-171 assessment — not more than three years old — posted in the SPRS.
In other words, DFARS 252.204-7019 outlines how to comply with NIST 800-171 and explains what to do when not all of the 110 control requirements are met. The provision does not require contractors to have a particular assessment score level. Instead, it requires contractors to have a score and upload that score. It is important to note that the provision does not require 100% perfect compliance but demands you submit an accurate score. Contractors’ systems that are not currently compliant must be addressed in POAMs.
DFARS 252.204-7021 introduces CMMC as a “framework that measures a contractor’s cybersecurity maturity to include implementing cybersecurity practices and institutionalization of processes.” CMMC requires, among others, additional specific requirements above and beyond NIST SP 800-171, barring the use of POAMs for unimplemented controls and third-party assessments. It also does not permit any self-assessments. Hence, it was criticized as burdensome, especially for nontraditional defense contractors and small businesses.
Thus, on Nov. 17, 2021, the DoD announced CMMC 2.0, an improved version of the CMMC framework. Unlike the primary version, CMMC 2.0 will not impose additional unique security requirements. It will permit POAMs for unimplemented controls, and it will permit self-assessment for most contractors. The approved third-party or government assessments will only be required for “prioritized acquisitions involving CUI.” The DoD CMMC 2.0 interim rule is expected to be issued by May 2023 for clarification.
You can find more details about the DFARS clauses in our article Unscrambling Confusing around CUIProtection Requirements.
The DoD memorandum reminds contracting officers that: “Failure to have or to make progress on implementing NIST SP 800-171 requirements may be considered a material breach of contract requirements.” This statement is significant in terms of understanding the role of NIST implementation. Contractors cannot simply draft an SSP and POAM and wait to make changes to those documents until later. Instead, contractors must focus on making continuous progress to implement the requirements addressed in their POAMs.
Paying attention to the DoD memorandum’s main focus, it is also necessary not to neglect the other requirements of the -7012 clause. These requirements include:
Thus, CUI contractors are obligated to report cybersecurity incidents affecting them. Precisely speaking, the contractors have no more than 72 hours from the incident discovery.
CUI contractors must also comply with DFARS 252.239-7010 security for cloud computing services, and ensure external cloud service providers meet the security requirements equivalent to FedRAMP.
The Defense Contract Management Agency assesses supplier compliance with the DFARS 252.204.7012 and ensures all requirements for CUI protection are maintained.
Finally, the memo also notes the contracting officer’s obligation to verify a reported assessment in the SPRS before awarding a contract.
The DoD memorandum should alert contractors that the DoD is currently emphasizing the importance of NIST 800-171 cybersecurity controls and is not waiting for CMMC. Thus, DoD contractors should focus on cybersecurity compliance, perform the DoD Assessments, and submit their scores on SPRS. In light of this memorandum, DoD contracting officers will likely be more proactive in enforcing these DFARS cybersecurity requirements. This could include SSP and POAM reviews and other inquiries into contractor cybersecurity maturity.
Cybersecurity requirements for government contractors are continually evolving. Take steps now to ensure you are meeting all DoD obligations, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!