Cybersecurity is playing an increasingly important role in today’s society, as DoD contractors are acutely aware. Many are racing to meet the requirements of NIST SP 800-171/CMMC 2.0 Level 2 so that they can be among the first to obtain formal CMMC certifications whenever DoD allows that process to formally begin.

Unfortunately, as of now, there is no clear indication of exactly when DoD will permit formal CMMC certifications. DoD has indicated that it will not occur until rulemaking is complete, and DoD is already 3 months overdue on its planned release of the CMMC-related rules to the Executive Branch organization that oversees the rulemaking process (the Office of Information and Regulatory Affairs, or “OIRA”), let alone the finalization of those corresponding rules.¹

This creates a reverse incentive for companies in the defense supply chain. Until DoD formalizes CMMC, the additional costs associated with NIST SP 800-171 compliance, when weighed against the traditional lowest price, technically acceptable acquisition model, make it so that contractors are incentivized to hold off on meeting their compliance goals because it increases their cost of delivery.

So, how does a contractor who wants to do the right thing and meet NIST SP 800-171’s requirements also help ensure that they get the recognition they deserve for all their hard work?

DoD recently introduced two provisions, DFARS 204.7604 and DFARS 252.204-7024. In 204.7604, Contracting Officers are required to ensure the -7024 clause is used in all FAR Part 12 acquisitions for supplies and services. This means that the -7024 clause should start appearing in DoD RFIs and RFPs very soon.

The -7024 clause requires Contracting Officers to evaluate a variety of factors, including Item, Price, and Supplier Risk as described in DoD’s Supplier Performance Risk System (“SPRS”). The -7024 clause also allows Contracting Officers to “consider any other available and relevant information when evaluating a quotation or an offer.”

Clearly, the intent of the -7024 clause is to encourage, and even empower, Contracting Officers to integrate risk considerations into their overall acquisition process. This nudges DoD away from its traditional, strict “lowest price, technically acceptable” acquisition approach and toward an approach that lets contractors leverage their strengths, especially in the cybersecurity arena.

Contractors who have met the requirements in NIST SP 800-171, as clarified in NIST SP 800-171A, could obtain from a reputable third party, a letter of attestation that serves as a validation of the contractor’s cybersecurity program. This letter of attestation can then be included with a proposal package. The Contracting Officers can then evaluate the letter of attestation and may consider it as “available and relevant information” when identifying an appropriate awardee.

Of course, the natural question is “who is a reputable third party”? The letters that will likely carry the most weight with a Contracting Officer are those from an organization that has undergone scrutiny by the United States Government, such as a FedRAMP authorized 3PAO or an Authorized C3PAO.

Contractors who have met the requirements of NIST SP 800-171 can obtain a letter of attestation and begin leveraging their diligence to help set themselves apart from their competitors.

Footnotes

1. A total of 7 rules are impacted by the CMMC rulemaking process (DFARS 204.73, 204.75, 212.301, 217.207, 252.204-7019, 252.204-7020, and 252.204-7021 are listed as being impacted by the rule), which explains some of the delay. Given the interplay between DFARS 252.204-7012 and some of the potentially conflicting requirements between the -7012 clause and the others listed above, it is a bit surprising that the -7012 clause isn’t also being amended in these edits. It will be interesting to see the regulations when they are published.