The DoD Assessment Methodology is a great attempt to create a standardized approach to evaluating contractor cybersecurity programs. However, it suffers from a fundamental flaw. That flaw is best illustrated through an example.
Imagine that Mavis’ Machine Shop is a DoD contractor and only ever handles Federal Contact Information (“FCI”), never Controlled Unclassified Information (“CUI”). However, Mavis, the CEO of Mavis’ Machine Shop, receives a call from a contracting officer for one of Mavis’ DoD contracts, and the Contracting Officer informs Mavis that the contract is up for renewal in 2 weeks. As part of the renewal the Contracting Officer will be granting Mavis’ request for a price increase, and the Contracting Officer will also be incorporating the DFARS 252.204-7019 and -7020 clauses in the contract. The Contracting Officer informs Mavis that Mavis must perform a self-assessment using the DoD Assessment Methodology and submit a score to SPRS before the renewal can be processed. Failure to submit a score within the next 2 weeks will cause the contract to terminate and open for recompute.
Mavis has attended enough CMMC and DFARS webinars to know that since her company only handles FCI, the Contracting Officer’s assertion that a basic self assessment must be performed and a score submitted to SPRS is fundamentally wrong. The -7019 and -7020 clauses are only triggered if the -7012 clause applies, and it doesn’t apply since Mavis’ Machine Shop doesn’t handle CUI. However, Mavis is also a shrewd enough business person to know that if she contests the Contracting Officer’s assertion, she will likely ruin her chances for the renewal.
So, she conducts a basic self assessment. She was smart enough to put together a basic System Security Plan (“SSP”) a few weeks ago, so the timing is pretty good, and she starts reviewing the SSP using the DoD Assessment Methodology.
As she does so, she notices that she can mark controls as Not Applicable and receive credit for them in the scoring methodology. So, she marks all of the controls that are not required under FAR 52.204-21 as “not applicable”. Mavis then evaluates her company’s program against the remaining 17 controls, and gives her company a score of 97.
Some readers might argue that the DoD Assessment Methodology requires that all Not Applicable findings be approved by the DoD CIO, so Mavis’ approach is improper. However, the DoD CIO would, inherently, have to accept that the requirements are Not Applicable since they literally cannot apply to Mavis’ Machine Shop since they do not handle CUI.
While there is a rational basis for Mavis’ score, as a practical matter, her company’s cybersecurity program is far less mature than an organization that handled CUI and whose program was correctly scored at 97. This result makes the DoD Assessment Methodology less valuable as a means for identifying contractor risk.
The FAR and Above approach mitigates this shortcoming. By implementing a phased scoring approach that requires that certain controls be implemented before higher scores can be achieved, FAR and Above allows better visibility into, and more consistent evaluation of, contractor cybersecurity programs.
Our free Comprehensive NIST SP 800-171 Self-Assessment Tool includes scoring for both FAR and Above and the DoD Assessment Methodology. You can download a copy below: