NIST SP 800-171 or CMMC? Both.
New DOD Rule Creates Two Frameworks
Released on September 29, 2020 and scheduled to become effective on November 30, 2020, the U.S. Department of Defense (DOD) announced an interim rule to implement two frameworks for verifying contractor compliance with cybersecurity requirements: 1) NIST SP 800-171 DOD Assessment Methodology and 2) the Cybersecurity Maturity Model Certification (CMMC). The immediate impact comes from the NIST SP 800-171 DOD Assessment Methodology. Under this framework contractors will be required to complete a self-assessment of their compliance with NIST SP 800-171 before they can receive DOD contracts. This framework also gives DOD new tools for verifying a contractor’s compliance. For CMMC, the interim rule introduces the long-anticipated DFARS clause that sheds some light on how DOD contractors are expected to flow down the requirements to subcontractors. But the interim rule also highlights DOD’s desire to continue developing the CMMC requirements outside the DFARS rule making process.
NIST SP 800-171 Assessment
Starting on November 30, 2020, the DOD will require all contractors to undergo an assessment process to ensure compliance with NIST SP 800-171. The interim rule defines three levels of assessment. To be eligible for award, a contractor must complete the first level (Basic Assessment) while the other two levels (Medium and High) are assessments that DOD may conduct itself during the course of performance. Each assessment results in a summary level score, which represents the number of security requirements from NIST SP 800-171 that the contract has implemented. Because NIST SP 800-171 includes 110 security requirements, the maximum score is 100. The interim rule does not prescribe a minimum score to be eligible for award, although a contractor must identify a date by which it expects to achieve a score of 110 in order to complete the Basic Assessment. The procedures in the interim rule state that it takes 30 days to post the scores from a SP 800-171 Assessment to DOD’s system of record (Supplier Performance Risk System or SPRS), so contractors should plan ahead to make sure their scores are posted by the time these requirements become effective to avoid any potential award delays.
What is the first step?
What is required long term?
CMMC Framework & NIST SP 800-171
DOD will also begin to roll out the CMMC requirements on November 30, 2020. The interim rule does not identify any criteria for determining which solicitations or contracts will include CMMC requirements. Instead, it requires contracting officers to impose the CMM requirements “if the requirement document or statement of work requires a contractor to have a specific CMMC level.” To ensure some coordination between requiring activities, the interim rule requires approval from the Office of the Undersecretary of Defense for Acquisition and Sustainment before including any CMMC requirements in a solicitation during this phase of the rollout. Contracting officers will implement these requirements by referencing DFARS 252.204-7021, “Contractor Compliance with the Cybersecurity Maturity Model Level Requirement”. The 7021 Clause requires contractors to maintain a current certification, it requires contractors to flow down the clause, and it refers to the CMMC website. This clause suggests that DOD will continue to develop the CMMC program outside the DFARS rule making process. The timeline for the complete rollout of the CMMC framework is five years with a target date of October 1, 2025. Thus, by October 1, 2025, the interim rule will include CMMC requirements in virtually all DOD contracts. However, nothing in the interim rule suggests that DOD plans to end the separate SP 800-171 Assessment requirements when the CMMC rollout is complete.
CyberCare – TRA’s Compliance as a Service Offering
TRA will provide guidance on the compliance requirement, if applicable, for existing or new contracts. Our team of experts will assist in the creation and implementation of a cybersecurity plan for you organization to meet that portion of your compliance requirement. TRA has purpose built our CyberCare Framework to eliminate the burden of researching & vetting required security services, to accelerate the implementation of these required security services, and to alleviate the ongoing management of these required security services. TRA will assist with the implementation and management of all CyberCare Framework services. In the event of a security breach, TRA’s incident response team is available to provide remediation on demand. Contact us to learn more about TRA CyberCare!