As we wind down the year, we thought it might be helpful to give an update on the CMMC program and the various rule changes that are occurring that can/will impact it.
DoD Contractor-Related Cybersecurity Requirements Overview
To recap, contractors have been subject to cybersecurity-related obligations for a number of years. For example, DoD implemented DFARS 252.204-7008 and 252.204-7012 back in 2016. A few of the more contractor-relevant clauses that contain cybersecurity requirements are:
- FAR 52.204-21
- The -21 FAR clause establishes the cybersecurity baseline required of all government contractors who are selling products or services to the government.
- It includes 15 basic cybersecurity requirements. Studies show that 78% of contractors are not meeting at least some of those requirements.
- DFARS 252.204-7008
- The -7008 clause applies to contractors who are managing IT systems on behalf of DoD.
- For the sake of brevity this article will focus on other clauses, but if you are an IT systems provider to the government, it is important to read this clause.
- DFARS 252.204-7012
- The -7012 clause applies to all contractor IT systems that are used to store, process, or transmit DoD’s Controlled Unclassified Information (“CUI”).
- It requires all contractors who store, process, or transmit CUI to evaluate their cybersecurity programs and to ensure that programs comply with the requirements in NIST SP 800-171.
- In addition, if the contractor is using a cloud-based service to handle CUI, that cloud-based service must meet the equivalent of FedRAMP moderate cybersecurity requirements.
DoD Adds Cyber Teeth to Acquisitions Process
The self-evaluation process permitted by the -7012 clause was found to have significant shortcomings and, in 2019 DoD announced the CMMC program. Version 1.0 of CMMC made third-party validation (and certification) of the contractor’s cybersecurity program a prerequisite for that contractor being permitted to participate in DoD contracts. As will be discussed below, this requirement has been (somewhat) softened in CMMC 2.0.
In September of 2020 the US Department of Defense published three “interim final” rules that sought to implement a “crawl-walk-run” approach to adopting CMMC.
- DFARS 252.204-7019
- The -7019 clause requires all DoD contractors who handle Controlled Unclassified Information (“CUI”) to conduct a self-assessment of their cybersecurity program using the DoD Assessment Methodology and to submit the corresponding score to the Supplier Performance Risk System (“SPRS”). Submission of a score to SPRS is a prerequisite for being permitted to participate in a government contract if you handle CUI under that contract.
- Although not strictly required by the -7019 clause, some prime contractors are publicly stating that they will only do business with subcontractors who have performed self-assessments and submitted corresponding scores to SPRS, even when those subcontractors do not handle CUI. This is forcing many in the defense supply chain to evaluate and enhance their cybersecurity programs.
- DFARS 252.204-7020
- The -7020 clause adds DoD oversight on top of -7019. DoD can now (through their DIBCAC team) audit and validate contractors’ scores submitted under the -7019 requirements. It allows for 2 styles of audits, “moderate” which are basically paper-only, and “high” which are more detailed.
- DoD’s Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) team has already started performing moderate “5 day audits”, in which DIBCAC contacts the contractor on Monday and requires that an up to date System Security Plan be submitted for review no later than that Friday.
- In addition, DIBCAC is conducting more detailed “high” assurance audits as part of the Joint Surveillance Program (“JSP”). Under the JSP program, DIBCAC leads the assessment but representatives from a Cyber AB Authorized C3PAO participate in the assessment as well. The expectation is that those who “pass” a JSP audit will (hopefully) be issued a CMMC certification once DoD authorizes certifications to be issued.
- DFARS 252.204-7021
- The -7021 clause implements the CMMC program for DoD contractors. It introduces the concept of third-party certifications and makes such certifications a prerequisite for participating in a DoD contract when applicable.
It is important to note that, while all three of the rules are technically in effect, DoD’s policy is that only the -7019 and -7020 clauses can appear in contracts.
DoD Refines CMMC
This is, in part, because DoD recognized the significant impact CMMC’s requirements will have on the contractor community (i.e., precluding contractors from participating on government contracts). From the outset, DoD stated that CMMC would be gradually phased into contracts and that they wanted to give contractors ample opportunity to evolve their cybersecurity programs before the contractors faced being precluded from participating in contracts.
After some feedback from the contractor community subsequent to CMMC 1.0’s release, in November 2021 DoD announced changes to the CMMC program, including simplifying the model from 5 levels to 3, allowing self-attestation at Level 1, and more closely aligning the CMMC requirements with NIST SP 800-171. As part of these “CMMC 2.0” changes, DoD also began collaborating even more closely with other government agencies to tighten alignment between CMMC and other programs (notably NIST SP 800-171, NIST SP 800-171A, and NARA’s CUI program).
The result is that many critical pieces to the CMMC program are being updated. It should be noted, however, that most of these updates are expected to help clarify and refine, rather than fundamentally change, these various programs. Thus, contractors should not wait to begin addressing their CMMC, CUI, and NIST SP 800-171-related obligations. The vast majority of the work that is necessary under those current obligations will still be useful when CMMC is finalized. If you are still in the early phases of your compliance journey, our DIY vs Outsource article includes some suggestions for how to get started, and our free self-assessment tool has many valuable resources, including a recommended order for implementing the different requirements under NIST SP 800-171/CMMC.
EOY 2023 Status Update
With that important caveat in mind, changes that will be coming in 2023 include:
NIST SP 800-171 is Being Updated
In July 2022, NIST announced that NIST SP 800-171 would be updated from Revision (“Rev”) 2 to Rev 3, and asked for public comments before beginning that process. In November 2022, NIST published an analysis of those comments and indicated that an initial public draft of NIST SP 800-171 Rev. 3 would be released in “late spring” of 2023. NIST will most likely leave that draft open for comments for about 60 days, then they will make revisions to the initial public draft based on the feedback that was received. As a practical matter, this means that the final version of NIST SP 800-171 Rev. 3 probably will not be released until at least September 2023.
The creation of FAR Part 40
The government’s CUI program is overseen by the National Archives and Records Administration (“NARA”). One of DoD’s goals with CMMC is to get both its internal teams and contractors in line with the CUI program. As DoD has learned, this is a tall order. One of the problems is that, while DoD has approached the CUI program from one perspective, other federal agencies are approaching the CUI program, and supply chain cybersecurity more broadly, from their own perspectives. As a result, there are cybersecurity related provisions scattered throughout the various Federal Acquisition Regulation (“FAR”) Supplements, such as the Defense Federal Acquisition Supplement (“DFARS” – see, e.g., the DFARS sections discussed above) and NASA FAR Supplement (“NFS” – see, e.g., Section 1852.204-76 ). This makes it harder for government contractors who work for multiple agencies, as the inconsistencies in the requirements can sometimes conflict, meaning they have to maintain separate computing environments that are specially-tailored to meet these different requirements which, in turn, adds cost to the contract.
Under Executive Order 14028, the Whitehouse announced plans to harmonize these various cybersecurity regulations. The first step in this process is the creation of an entirely new section to the FAR that specifically addresses supply chain cybersecurity requirements. This process is currently underway, led by the Defense Acquisition Regulatory Council (“DARC”), part of the Federal Acquisition Regulatory Council (“FARC” or “FAR Council”), which in turn is part of the Office of Management and Budget (“OMB”). The first draft of FAR Part 40 was initially due October 12, 2022. As of the date this article was initially published (January 1, 2023), that deadline has been extended to January 18, 2023.
From the description of FAR Part 40 in the FAR case summary, and given the broader initiative in Executive Order 14028, the DFARS clauses listed above will likely become part of this new FAR Part 40.
While the new Part 40 is being created, DoD is also revising the DFARS and related guidance to help contracting officers and others involved in the procurement process to better understand the CUI program (including how to identify CUI) and how to apply CMMC during acquisitions. The first draft of these revised rules were expected to be submitted for review by the FAR Council June 6, 2021. However, Executive Order 14028 was published around that same time and has impacted the process. As of the date this article was published, the new due date for the rules is January 11, 2023 (see the DFARS case status page for more information, and specifically DFARS case 2019-D041).
Once the updated drafts of the rules are finalized they are submitted to the FAR Council which will review and may amend the draft rules. Because the rules are no longer directly under DoD’s control, DoD will enter a “quiet period” where DoD representatives will not be able to speak publicly about what may/may not be in the new rules.
The FAR Council’s review of the new rules will likely be integrated with their review of, and updates to, FAR Part 40. Initially, DoD estimated that the FAR Council would publish these new DFARS clauses as “interim final” rules in May 2023, and then accelerated that timeline a bit to March 2023. As interim final rules, they become effective 60 days after publication, although they are subject to amendment after a public comment period. By contrast, if they are published as interim rules, they will not be effective until after the public comment period has closed, the comments adjudicated, and any necessary changes are made.
Additional Changes Coming
In addition to harmonizing the various supply chain cybersecurity requirements, Executive Order 14028 also requires the creation of a standardized cyber incident reporting program for government contractors. The reporting requirements will likely be similar to those in DFARS 202.204-7012, but may also extend to incidents involving Federal Contract Information (i.e., any of the government’s nonpublic information). According to the FAR Case Status (see FAR case 2021-017), a draft of the corresponding rule was submitted for review by the FAR Council on December 19, 2022. Those requirements are likely to also find their way into FAR Part 40, and contractors should be watching for their introduction in the near future.
Changes to the CUI Program (32 CFR)
The CUI program has far-reaching implications, and DoD’s implementation of it, including CMMC, has uncovered some places where additional clarity is needed. In addition, many provisions in FAR Part 40 will likely focus on the protection of CUI. As a result, DoD is working with NARA and other agencies to enhance the CUI program (which is in 32 CFR 2002, outside the Federal Acquisition Regulations).
Clearly, there are a lot of changes happening in the government’s approach to supply chain cybersecurity. Given the scope of the changes, including the creation of FAR Part 40, DoD’s changes to the DFARS supply chain cybersecurity requirements (i.e., DFARS 252.204-7008, -7012, -7019, -7020, -7021, etc.), the FAR Council may decide to publish everything at one time as part of the new FAR Part 40. If they do, they may publish FAR Part 40 so as interim, rather than interim final, rule. However, given the strong push for implementation of supply chain cybersecurity requirements by the current administration, anything that delays the implementation of these regulations by many months might not be palatable and the Whitehouse may push for the adoption of FAR Part 40 as interim final rules.
More fundamentally, while the next 6-12 months will likely see a lot of regulatory changes, they are likely to be refinements of, rather than wholesale ripping and replacing of, existing requirements. NARA has indicated that the then-current version of NIST SP 800-171 is THE measure by which contractor systems should be assessed for the contractor’s ability to handle CUI. When NIST updates 800-171 to Rev. 3, they will likely add requirements (also referred to as “controls”) and clarify certain aspects of the document (e.g., whether the “NFO” controls in Appendix E are truly required or merely “expected” to be in place). They may also consolidate NIST SP 800-171 with its “assessment guide” (NIST SP 800-171A). Despite these changes, as with the previous revision, many of the existing requirements/controls will likely remain essentially untouched.
While FAR Part 40 and updates to the CUI program and NIST SP 800-171 may impact CMMC at a high level, DoD has indicated that CMMC requirements will be incorporated into all DoD FAR-based contracts in 2025. The process of modernizing an organization’s IT and cybersecurity programs to meet the government’s current requirements can easily take 6-12 months, and for some organizations it could take 12-24 months. Smart contractors are not waiting for the “dust to settle” before addressing CMMC and other cyber regulatory requirements. They are embracing the fundamental culture change necessary, including that their cyber and IT programs must constantly adapt to changes in threats and regulatory requirements. As a result, they are starting their modernization process now, based around NIST SP 800-171 Rev. 2.