News:

On December 31, 2020, the General Services Administration (“GSA”) released a draft RFP for its new Polaris Government Wide Acquisition Contract (“GWAC”). The Polaris contract is expected to take the place of GSA’s Alliant 2 Small Business contract, which was canceled in July 2020. The Polaris contract focuses on small and medium businesses, giving them the ability to sell IT-related services and ancillary goods more easily to the government.

GSA notes that both civilian and defense organizations can leverage the Polaris GWAC to obtain services. They also note that “The theft of intellectual property and Controlled Unclassified Information (CUI) through malicious cyber activity threatens not only the economic security of the United States, but our national security as well. Nation states, criminal and terrorist organizations, and rogue individuals will continue to target the defense industrial base as well as Government agencies and commercial entities in order to disrupt operations and/or undercut our technological advantages.” Therefore, to keep the Polaris contracting vehicle relevant for all organizations, while “… CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on Polaris monitor, prepare for and participate in acquiring CMMC certification. Polaris contractors should begin preparing for CMMC and SCRM [Supply Chain Risk Management] accreditation by staying aware of developing requirements and by implementing the appropriate NIST SP 800-series documents.” They also note that contractors shouldn’t stop at CMMC because “Additional requirements may be included on individual task orders by the issuing agency OCO.”

For those contractors who are unsure about their compliance with the CMMC Maturity Level 1 requirements, the CMMC Information Institute has created a free tool that walks you through the requirements.

As part of the draft Polaris RFP, GSA provides examples of actions contractors should take to prepare for CMMC and other requirements. GSA’s suggested actions include:

  1. Determine if your company receives federal funds from the Department of Defense either directly as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements. If so, and/or if Civilian agencies adopt the same program, you should be prepared to obtain at least a Level 1 certification.
  2. Determine whether your company currently or in the future expects to electronically process, store, or transmit CUI in the performance of its defense contracts. If so, you should be prepared to obtain at least a Level 3 certification.
  3. Review your company’s current compliance with NIST SP 800-171 Rev 1 in relationship to your expected CMMC level requirements. Begin drafting a System Security Plan (SSP) in accordance with NIST SP 800-18 Rev 1. If you currently have a Plan of Action and Milestones (POAM) in place or identify additional concerns, dedicate appropriate resources to ensure that progress is being made to close any gaps as quickly as possible. Examine Draft NIST SP 800-171B for enhanced security requirements to improve cybersecurity maturity capabilities as applicable given the CMMC level you intend to attain.
  4. Review your company’s current compliance with NIST SP 800-161 to include the establishment of a SCRM Plan.
  5. Investigate your subcontractor base as CMMC and SCRM requirements may flow down to subcontractors, including commercial item subcontractors. It is expected that consent to subcontract at the Order level may also consider subcontractor CMMC level.
  6. Participate in SCRM and/or CMMC workshops recommended or hosted by GSA.

Opinion:

We note that some of this guidance is inconsistent with CMMC, FAR 52.204-21, and DFARS 252.204-7012 and -7021. The guidance makes it seem as though small and medium businesses, whose resources are already typically stretched thin, should make significant investments in time and resources to address NIST SP 800-171B and NIST SP 800-161 when it is DoD’s position that neither will apply to the vast majority of its contractors. This is likely to create confusion on the part of many contractors, especially those who are most impacted by CMMC. Hopefully GSA will add clarity when then formal RFP is released.

More specifically, we agree that their first two suggested actions are important for any contractor. But, like many commentators, GSA begins to blur the lines between Maturity Level 1 requirements and Maturity Level 3 requirements as the discussion continues. GSA should split out its suggestions into those that are for contractors handling CUI (i.e., those who will need Maturity Level 3 and above certifications) from those that apply to contractors not handling CUI. They should further split the suggestions based on those only handling information needing Maturity Level 3 certification and information needing higher certification levels.

SSPs not Required at ML1

For example, to the extent that CMMC Maturity Level 1’s requirements are derived from NIST SP 800-171, we agree that companies should review their compliance with NIST SP 800-171. However, for Maturity Level 1 companies, there is no need for an SSP. In the CMMC Model, DoD makes it clear that practices can be performed on an “ad hoc” basis at Maturity Level 1. This means that written policies and plans are not required at Maturity Level 1, thus GSA is incorrect to suggest that contractors who are expecting to need only Maturity Level 1 certification must create an SSP as part of their preparation efforts. To be clear, creating SSPs for your computing systems is a great idea and we think all organizations should have them in place. But as far as CMMC is concerned, SSPs are not strictly required at Maturity Level 1. GSA should clarify that SSPs are recommended but not required, unless additional changes to FAR 52.204-21 or other sections are expected.

NIST SP 800-171B

The trend of blurring the lines continues with their suggestion of a review of NIST SP 800-171B. As NIST SP 800-171B’s title suggests, that document sets forth “Enhanced Security Requirements for Critical Programs and High Value Assets”. As NIST describes it, NIST SP 800-171B is used “where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.” To put a finer point on it, NIST SP 800-171B is for highly sensitive CUI, information that would require certification at CMMC Maturity Levels 4 or 5. Maturity Level 1 contractors need implement all of NIST SP 800-171B’s requirements. In fact, even Maturity Level 3 companies are not subject to NIST SP 800-171B’s requirements at this time. GSA’s suggestion that all organizations review it is likely to create confusion and exasperation among small and medium businesses.

NIST SP 800-161

GSA adds additional confusion when it suggests that contractors also adopt NIST SP 800-161. NIST SP 800-161 lays out a supply chain risk management approach for the federal government and is not a requirement in any legislation or regulation about which we are aware. NIST SP 800-161 also relies heavily on NIST SP 800-53, which is the standardized cybersecurity program that applies to federal agencies. Most small and medium businesses will spend hours, if not days, trying to unravel all of the complexities of these different publications, only to (eventually) learn that they were not required of them in the first place. Again, to be clear, we agree that supply chain risk management is critical for all businesses, but to suggest that organizations at Maturity Level 1 should be evaluating their NIST SP 800-161 compliance is misleading unless legislation or regulations adopting these requirements is anticipated soon.

Conclusion

GSA’s fundamental points that a) contractors need to start preparing for CMMC and b) that additional security requirements may be imposed on a contract-by-contract basis are very well made. We hope they will refine their suggestions going forward, especially on contracts and contract vehicles aimed specifically at small and medium businesses, so that they create less confusion for the hundreds of thousands of companies that may want to participate.