If you are a Defense Contractor that handles Controlled Unclassified Information (CUI), this news is going to be very important for you.
DFARS 252.204-7012 Interim Rule
Yesterday, the DoD released an interim rule to the Defense Federal Acquisition Rules Supplement (DFARS) which goes into effect on November 30th, 2020. This publication is 89 pages long and consists of a justification, a cost and impact analysis, and additions or modifications to several DFARS regulations.
DFARS 252.204-7021 adds CMMC phased rollout over five years
Most of the public anticipation of this DFARS interim rule was because we thought that it would introduce the Cybersecurity Maturity Model Certification (CMMC). And it does. No big surprises there. The CMMC rule (DFARS 7021) is discussed a bit later in the article.
DFARS 7012 now enforced
More urgently, the DFARS interim rule also fixes a much more immediate cybersecurity requirement – DFARS 252.204-7012. This affects contractors starting November 30, 2020.
Disclaimer: This is a free opinion article and nothing in it is guaranteed to be correct. You should ask your lawyer, your contract officer, and your paid cybersecurity expert for their guidance.
History: What was DFARS 252.204-7012 again?
DFARS 252.204-7012 is a standard clause in many DoD contracts (about 1/3rd of them?) which requires contractors with CUI to do the following:
- Implement all NIST Special Publication 800-171 security requirements to in-scope networks by December 31, 2017. (This is very difficult, often costing hundreds of thousands of dollars and requiring multiple cybersecurity-trained staff.)
- Choose cloud vendors according to strict criteria.
- Report cyber incidents affecting contractor networks to the DoD.
- Notify the DoD of any security not implemented, within 30 days of contract award.
There were three problems with DFARS 7012…
One of the key paragraphs was confusing
“(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”
Because it said to only notify the DoD within 30 days of award, for contracts awarded prior to 2017, this could be interpreted to mean no action was necessary after 2018.
Good things happened if you ignored it or checked the box
If a defense contractor never submitted anything bad, the DoD continued awarding them contracts. I guess the DoD thought that it was so easy to implement those 110 security controls that all contractors were doing it.
I don’t know whether submitting a non-compliance notification hurt contractors or if it was ignored by the DoD. No one has ever mentioned to me that their organization submitted bad news according to (ii)(A).
I have talked to plenty of contractors who self-certified 100% compliance without understanding what the requirement was. It was just another page in the stack of legalize that the non-technical COO had to sign to submit a bid.
Less cybersecurity = less competition
Ironically, if contractors didn’t spend money on cybersecurity, they could submit proposals at lower price points. This may have resulted in an unfair advantage to the contractors that ignored the requirement.
The DoD starts to suspect non-compliance…
In 2018-2019, the DoD’s Office of Acquisition and Sustainment hit their limit on patience. They were seeing contractors getting cyberattacked and losing CUI to adversaries because of non-compliant security practices. So the DoD introduced the Cybersecurity Maturity Model Certification (CMMC).
The CMMC is different than what came before primarily because it enforces third-party audits. The cybersecurity requirements are not very different than NIST SP 800-171. For companies that don’t handle CUI, the basic cybersecurity requirements match the existing FAR 52.204-21 regulation. So again, the CMMC is mostly a way of forcing compliance with the existing rules.
DFARS 252.204-7021 interim rule – what changed?
The interim rule (which is published here) makes these major changes (summarized):
DFARS 252.204-7020 – Self-assessment required for awards starting November 30, 2020
Prior to awarding a contract which has the DFARS 252.204-7012 clause in it, the contract officer is instructed to verify that the bidder has a recent (less than 3 year old) assessment submitted to the DoD (this is a pass-fail). It does not say that the score counts against the bidder, though I expect this would be considered in a proposal’s technical review.
DFARS 252.204-7019 – Contractors submit their self-assessment compliance score to DoD
DoD contractors (primes and subcontractors) are expected to submit self-assessments of their NIST SP 800-171 compliance to webptsmh@navy.mil using an encrypted email. The self-assessment provided to the DoD should include a summary score according to the DoD NIST 800-171 Assessment Criteria. It might need a system security plan sent as well (this is unclear based on the wording of DFARS 252.204-7019). See Wayne Boline’s (Raytheon) comments below – he makes a good point that the SSP is extremely sensitive and the DoD probably doesn’t want it. Make sure to read the regulation for the exact format of the email.
Summary of assessment criteria: It gives a value to each cybersecurity requirement of 1-5 (or pass/fail in the case of one requirement). The score has a maximum of 110 and is reduced for each unimplemented requirement. From assessments my company (Kieri Solutions) has advised on, and from comments by the DCMA, it is not unusual to have a negative score.
Cyber Pro Tip: If your system security plan is less than 100 pages long, you are probably doing it wrong.
See our article How to submit a NIST SP 800-171 self assessment to SPRS for industry advice and step-by-step instructions to submit your assessment.
DFARS 252.204-7020 – Contractor gives access to DCMA auditors to validate their self-assessment
The contractor also agrees to provide access to the DoD to perform assessments themselves (via the DCMA) if selected for an audit.
DFARS 252.204-7020 – Roll down to Subcontractors
Prime contractors will require their subcontractors to have a basic self-assessment submitted if their information system is subject to DFARS 252.204-7012 (has CUI).
DFARS 252.204-7021 – Oh yeah, it also implements the CMMC over 5 years.
This is less immediate than the other items, and matches what the DoD has advertised about the CMMC already. The CMMC is coming, but I’m worried about NIST SP 800-171 today.
Do you need to submit a NEW self-assessment for DFARS 7012?
My company, Kieri Solutions, has incorporated the DoD assessment criteria into our CMMC preparation services since February 2020, but most organizations didn’t know about the process (until now). In the last week, we have gotten multiple questions about whether organizations need to submit new self-assessments, or whether their previous submission is good enough.
Scenario A: DoD contractor attested that they are fully compliant with DFARS 252.204-7012 and NIST SP 800-171 as part of submitting a proposal in the last three years.
Scenario B: DoD contractor was especially on-point and submitted information about NIST SP 800-171 requirements not met to osd.dibcsia@mail.mil according to the earlier DFARS 252.204-7012 regulation.
From my reading, I don’t think previous submissions will work. Previous submissions would not have included an overall compliance score according to the NIST SP 800-171 DoD Assessment Criteria.
If you have seen something from the DoD which says they are transferring old submissions to SPRS, please comment!!
Feedback requested on the DFARS 7012 interim rule
The DoD has requested comments on the interim rule. Comments period will close November 30, 2020.
You can submit comments by going to the Federal Register website or by emailing osd.dfars@mail.mil with the subject line “DFARS Case 2019-D041”.
*Update October 20, 2020* Comments are starting to be posted publicly at beta.regulations.gov
I’ve already submitted these comments about tactical issues related to submitting assessments:
Comment: It is unclear whether self-assessments or compliance assertions submitted prior to this rule would be valid.
Scenario A: DoD contractor attested that they are fully compliant with DFARS 252.204-7012 and NIST SP 800-171 as part of submitting a proposal in the last three years.
Scenario B: In 2018, DoD contractor submitted information about NIST SP 800-171 requirements not met to osd.dibcsia@mail.mil according to the earlier DFARS 252.204-7012 regulation.
Q: Will the assertions in either Scenario A or Scenario B be transferred into SPRS?
Q: Does the contractor in Scenario A or Scenario B need to send a new self-assessment score to webptsmh@navy.mil ?
Q: How can a contractor verify whether SPRS has a valid assessment for their organization?
Comment: It is unclear whether the self assessment submission should have documentation attached.
The instructions for sending an email do not specify attaching a System Security Plan or Plan of Action and Milestones.
There is precedent for including these documents according to the previous 7012 rule and NIST SP 800-171. Including these documents will also help a contract officer determine whether the bidder fully understands the cybersecurity requirement or is having a non-technical person “check the box”.
Comment: It is unclear how to associate submitted self-assessments with proposals or contracts.
ContractorA has 2 contracts subject to DFARS 252.204-7012. They have one information system secured according to NIST SP 800-171. When they submit the assessment, their email lists CAGE CODE XXXXX.
Q: Should the contractor also identify the DoD contracts which use this system when they submit the assessment? Where and how?
Q: What identifiers would the contractor use to identify a DoD contract?
Comment: It is unclear how to associate partner self-assessments with proposals or contracts.
ContractorA does not have a information system that meets DFARS 252.204-7012. They have partnered with PartnerB and will use PartnerB’s system exclusively for CUI.
Q: Should the contractor’s proposal identify which information system they will use? Where and how?
Comment: It is unclear how to deconflict multiple information systems for the same contractor.
ContractorA has built separate information systems for ITAR_Contract and for PHI_Contract. Both information system self-assessments are submitted using the same CAGE CODE XXXXX.
Q: Will the Offerer randomly pick one self-assessment to check compliance?
Comment: It is unclear how to associate self-assessments with future proposals.
ContractorA has submitted a self assessment with CAGE CODE XXXXX. One year later, they bid on Contract 123.
Q: Should the contractor’s proposal identify which information system they will use? Where and how?
Q: Will the Offeror assume that any self-assessment related to the contractor’s CAGE CODE is the right one?
Comment: It is unclear how to submit encrypted email to webptsmh@navy.mil
ContractorA needs to send their documents to the email address. They do not have a contract yet, so they don’t have any personnel with CACs.
Q: Please describe some processes for securely sending this information via email.
Q: What is the maximum file size for attachments?
Other questions about DFARS 7012 interim rule
Does it really require self-assessments for contract awards starting November 30, 2020? Based on reviews by attorneys in the DFARS space and statements by Government POCs who worked on the Interim Rule, the answer is “Yes”.
For contractors that submitted their compliance information in the past, will that information be available to the government official who chooses the contract awardee?
In other words, does every defense contractor need to submit self-assessments in the next two months? Or only if they haven’t submitted them in the past?
Will the Supplier Performance Risk System (SPRS) only be available to DoD and government officials? Or will contractors have access to submit directly? Note: I tried to register an account. I did not succeed.
What questions do you have? Please comment below (and submit your formal comments to the Gov!)
NIST SP 800-171 an Allowable Cost for Cybersecurity
One of the best things I’ve heard today is this quote from Ms. Katie Arrington (the CISO of A&S for DoD) on LinkedIn:
“Currently the only allowable cost is the implementation of the 110 controls of the NIST 171 and only if the company has the current DFAR rule in the contract.”
She was making a point that cybersecurity for the CMMC is not allowable unless that CMMC level is required by the contract. But her statement about NIST 800-171 applies to tons of contracts today. Contractors should be including cybersecurity costs in their proposals.
I hope that by fixing DFARS 252.204-7012, all bidders will have to account for cybersecurity, thus balancing the proposal costs more fairly.
How will a poor self-assessment impact your future contracts?
The Office of Secretary of Defense, Acquisitions & Sustainment (the same office that gave us CMMC) hosts the Defense Pricing and Contracting website which gives guidance to acquisition personnel.
This page “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012” provides information about the evaluation process when your assessment is not perfect.
The web page links to the document “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements not yet implemented” which describes the risk factors related to each individual requirement. It seems from my reading that this guidance is meant to give the (probably non-technical) contract officer a feel for the risk involved if they award to a non-compliant contractor.
For example, failing to implement 3.1.3 describes the risk “Failure to define and control where CUI can flow (i.e., between system components) can result in unauthorized access to or exposure of CUI”.
Related is the “Strategically Assessing Contractor Implementation of NIST SP 800-171” which describes the DoD assessment methodology, the Supplier Performance Risk System (SPRS), and other related topics.
DFARS 7021? DFARS 7012? What do we call it?
So far I’ve seen Government representatives referencing DFARS 252.204-7012.
I’ve seen private industry calling it DFARS 7021. It appears that there is already a “DFARS 7021” but it is way less interesting than our new rule (it talks about trade agreements).
The Interim Rule created these new DFARS regulations:
DFARS 252.204-7019
– Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020
– NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7021
– Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
It updates the instructions for government officials:
- 217.207 “Special Contracting Methods” – Verify self-assessment now, verify CMMC certificate future
- 212.301 “Acquisition of Commercial Items” – Add the 7019, 7020, and 7021 clauses to contracts
It adds policies and procedures for the CMMC rollout:
- 204.7501 policy – Add required CMMC level to solicitation
- 204.7502 procedures – Don’t award contracts unless the CMMC level is met
- 204.7503 clause – Use this standard paragraph for CMMC clause
Lots of numbers to choose from. I’m guessing that 252.204-7021 will be the reference for future CMMC and 7012 will be the reference for today’s 800-171 enforcement.
DFARS 7012 is released. Now what?
There is a chance that the interim rule will be disapproved by Congress if there is enough concern about it. But I wouldn’t hold my breath.
If you have a contract with the DFARS 252.204-7012 clause in it, I recommend starting to prepare your self assessment now for submission. Get a cybersecurity compliance expert involved to at least verify that you are working with a good system security plan template and DoD assessment criteria. Even if your assessment is terrible, plan to submit it. Then start fixing it.
Consider signing up for our newsletter for breaking news about CMMC and DFARS cybersecurity requirements. Also check the menu above for lots of helpful articles with practical advice for either preparing your organization for an assessment, or becoming an assessor yourself.
Next articles:
How to submit a NIST SP 800-171 self assessment to SPRS
For Cybersecurity Practitioners: DFARS 252.204-7012 discussion and download links for resources
For non-practitioners: CMMC Compliance FAQs for Organizations Seeking Certification
Good luck all!
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Her company specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.
Note that you are not required to submit the actual SSP when you provide your summary score to the DoD via SPRS. I don’t believe they even want the SSP because that is very sensitive information and they don’t want to be responsible for protecting it. And good luck sending that encrypted email to the given email address, how can you do that……?
I’ve seen unofficial comments from acquisition folks saying they expect the POA&M and SSP. That conversation was in the context of Contract Officers using the DoD assessment criteria with the SSP to understand the consequences of failing to implement individual requirements.
The DFARS interim rule mentions the SSP, but the language is confusing. To me, it reads like they want the system security plan submitted. If they didn’t expect the plans to be submitted, then they wouldn’t care about a summary statement describing the architecture of multiple system security plans. I don’t know where to find “security requirement 3.12.4” which might be where the explanation exists.
252.204-7020
“(i) The email shall include the following information: (A) Version of NIST SP 800-171 against which the assessment was conducted. (B) Organization conducting the assessment (e.g., Contractor self-assessment). (C) For each system security plan (security requirement 3.12.4) supporting the performance of a DoD contract— (1) All industry Commercial and Government Entity (CAGE) code(s) associated with the information system(s) addressed by the system security plan; and (2) A brief description of the system security plan architecture, if more than one plan exists. ”
In other words, not sure what the real answer is. I’m on the submit-the-SSP side personally. What do you guys think? Any official guidance?
There is no chance we submit SSP and POAMs because that is sensitive data and I can’t imagine the DoD wanting thousands of SSP’s from the DIB and being responsible for protecting them. DCMA doesn’t even hold on to that as part of DIBCAC assessments. And you will find 3.12.4 in the assessment methodology and it is the requirement to have an SSP.