A recent interim rule from the Department of Defense (DoD) would create a new self-assessment methodology for the cybersecurity requirements in NIST SP 800-171. The same rule also would implement the Cybersecurity Maturity Model Certification (CMMC) Framework. The interim rule, which was published on September 29, 2020, will become effective on November 30, 2020.
We have previously reported on the need for advance preparation for CMMC compliance. As discussed below, the interim rule would also introduce new compliance goals under NIST SP 800-171 (the NIST Standard).
NIST SP 800-171 DoD Assessment Methodology
DoD contractors are already familiar with the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause 252.204-7012. It is included in nearly all DFARS-covered contracts and requires that contractors’ cybersecurity meet the NIST Standard. Historically, contractors have been allowed to self-certify that their systems comply. But the DoD had no way to verify a contractor’s implementation of the standard. The new interim rule creates a more specific, standardized self-assessment methodology.
Under this new NIST SP 800-171 DoD Assessment Methodology, contractors still self-assess their compliance. What’s new is the standardized, uniform methodology to be used for assessment. In the new Basic Assessment, a contractor scores itself on a scale from -203 to +110. The score is determined by subtracting from 110 a weighted sum of the number of unimplemented security requirements.
In addition to the basic assessment — which is a self-assessment — after award, the government may in some cases conduct its own medium or high assessment of a contractor’s cybersecurity. Assessments generally expire after three years.
The basic assessment applies across the board to virtually all defense contractors. Because the interim rule will take effect soon (on November 30), contractors should begin preparing now to assess exactly which NIST Standard requirements their company meets. Whatever a contractor’s score is now, it will need a plan to get to a perfect 110.
The industry has been preparing for CMMC since last year. The interim rule begins rolling out the CMMC requirements on November 30, 2020. By at latest 2025, some level of CMMC compliance will be required by virtually all contractors on all defense contracts.
Unlike under the NIST Standard, the CMMC Framework will not recognize self-assessment. Instead, third-party auditors will assess each contractor’s cyber hygiene. The auditors are known as CMMC Third Party Assessment Organizations (C3PAOs). The C3PAOs will themselves be accredited by yet other entities, but the requirements for becoming a C3PAO are not yet established.
CMMC has five levels of compliance, and the required compliance level will be defined in each contract based on the associated risks. Every contractor will need to meet CMMC Level 1. Any contractor handling confidential unclassified information (CUI) should prepare to meet at least CMMC Level 3. Roughly, Level 3 compliance corresponds to the NIST Standards with some additional CMMC practices and processes.
Cybersecurity continues to grow in importance at the DoD. Bradley will keep you updated on developments, including to both the NIST SP 800-171 DoD Assessment Methodology and the CMMC Framework. In the meantime, contractors should prepare to meet the basic assessment by scoring exactly how many NIST Standard requirements they meet. Contractors should also prepare to get certified to the appropriate CMMC level — at least Level 1 for everyone, and Level 3 or higher for any company that handles CUI. The interim rule will take effect on November 30.