- Posted on: Nov 9 2022
By: Lawrence L. Muir, Jr. [11/9/22]
This is not a blog post about the CMMC. The blogosphere is saturated with CMMC content, and the longer the program stretches into indefiniteness, the more content is delivered to an audience drowning it out. But that does not mean that lawyers and contracts managers should ignore the three new regulations in the DFARs, nor does it mean that those parties should fail to prepare their clients and companies for stronger cybersecurity requirements. This blog briefly explains the new regulations, helps the reader identify what requirements fall upon their respective responsibilities, and suggests what should be done now.
DFARs 252.204.7019 is a regulation on cybersecurity fundamentals. It explains the three types of assessments (basic, medium, and high) and provides a three-year maximum for a cybersecurity assessment to be valid. The assessment framework standard is the NIST 800-171, which currently exists in Revision 2 but will soon be in Revision 3. A government contractor should contact an assessment company and have people in their company work alongside the assessor to help organize documentation and to understand the assessment process. The assessment should be performed against the 800-171 Revision 2 framework, with mapping to the Revision 3 framework when that final version is released. The assessor should include all supporting documentation with each of the 110 controls in case the company is required to have a third-party audit from the government. These assessments are known as medium and high assessments and will be explained in more detail below.
After completion of this 800-171 Rev. 2 assessment, the regulation requires your company to upload the scoring for each of the controls into the Supplier Performance Risk System (SPRS). Scoring in this system is nonsensical. A company starts with the max score of 110. A company receives zero points for implementing a control and loses the point value of the control for not implementing a control, giving a minimum score of -203.
Companies must list the name of the assessing organization and include the System Security Plan (SSP). Be certain to include in your assessment contract that the assessing organization will deliver a breakdown of your SPRS score and the SSP to your organization. Likely the assessor will provide you with a Plan of Action & Milestone (POAM) document. Work with your IT director, the assessor, or whoever is in charge about implementing the defective controls that can meaningfully improve the SPRS score so that your company is more competitive with bidding and/or contract qualifications.
Basic assessment requirements are straightforward and defined in 7020. Most significantly a contractor can undergo a self-assessment and report their score on the honor system. There are 5 other mandated pieces of information in 7019, but the conducting agency and the satisfaction of the SSP (control 3.12.4 of the 800-171) are the most important. A company must also report the date all 110 controls will be implemented so be certain that the assessor includes that information in the POAMs. Basic self-assessments are defined as a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that is based on the contractor’s review of their system security plan(s) associated with covered contractor information system(s); is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and results in a confidence level of “Low” in the resulting score, because it is a self-generated score. Basic self-assessments help companies that must undergo medium and high assessments as well.
Regulation 7019 also discusses Medium and High Assessments, which will be conducted by third parties, particularly government-certified groups. A “Medium Assessment” means an assessment conducted by the Government that consists of a review of a contractor’s Basic Assessment; a thorough document review; and discussions with the contractor to obtain additional information or clarification, as needed. Medium assessments result in a confidence level of “Medium” in the resulting score.
Government contractors that routinely have confidential unclassified information are better to avoid the self-assessment and have a professional outside assessment. This will leave the contractor better prepared for a government assessment and leave the company better prepared and more conversant in the cybersecurity plan for their system. Once again, a company should require this consulting preparation from its retained assessor. The organization should be able to discuss the information flow on its networks, how the controls operate on their system, the documentation need to ensure continued compliance, and how it will monitor its system over the next 2-3 years over the lifetime of its valid assessment.
A “High Assessment” means an assessment that is conducted by Government personnel using NIST SP 800-171A; that consists of a review of a contractor’s Basic Assessment; a thorough document review; verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan; and discussions with the contractor to obtain additional information or clarification, as needed. The high assessment results in a high degree of confidence.
The difference between a medium assessment and a high assessment in 7020 is the use of NIST 800-171A. This document contains the assessment objectives for each of the 110 controls. Each assessment objective connected to a single control must be demonstrably satisfied for the control to be marked as implemented. It is a more rigorous assessment using the same standard because it incorporates a document that requires a deeper examination of a system.
If a company must undergo a medium or high assessment, the DoD will provide Medium and High Assessment summary level scores to the Contractor and offer the opportunity for rebuttal and adjudication of assessment summary level scores prior to posting the summary level scores to SPRS. Rebuttal must be made within 14 business days. A proper rebuttal will provide additional information to demonstrate that the contractor meets any security requirements not observed by the assessment team or to rebut the findings that may be of question. This further substantiates the earlier recommendation to work closely with a private assessor so that all the rebuttal documentation and expertise is essentially prepared in advance of the DoD results. This will help the contractor know whether the assessment should be appealed and help articulate the appeal in a more persuasive and factual manner.
Most importantly, 7020 requires prime contractors to work with their subcontractors on their cybersecurity. The mandatory requirement is that prime contractors must insert the substance of the clauses in 7020(g) in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items. The Contractor shall not award a subcontract or other contractual instrument that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800-171 DoD Assessment for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology.
A prime contractor should devise a system that allows their lawyers and contract officers to manage the subcontractor cybersecurity compliance of each subcontractor on each prime contract the contractor holds. An active management system should be developed and effective in the first quarter of 2023. An additional blog post will lay out a recommended subcontractor cybersecurity contract management system.
This blog post mentioned three different regulations contained in DFARS 7019, 7020, and 7021, but only wrote about the first two. Why? Because 7021 is the regulation specifically written about the CMMC, and your author keeps his promises. By following the recommendations in this article and the first two regulations, any contractor will be well prepared for the CMMC, whenever that day might come.