Based on some confusing and potentially conflicting information we have found, we thought it was extremely important to clarify all expectations that the DoD has of its primes, subs and vendors.
From listening to podcasts, watching and attending webinars, and reading any and every publication and white paper we can get our hands on, one thing regarding cyber security is clear:
The DoD is done messing around.
We do not say that to scare or alarm you. On the contrary, we want to empower and embolden you. We want our clients to have a competitive advantage in this ever-toughening DIB marketplace, and we do not want you to lose your contract. We also want to help keep not just YOU safe, but we also pride ourselves in the role we play in strengthening the national security of our great nation that we love so much.
It’s important to note that you absolutely CAN attempt to follow this new Interim Rule all on your own. It’s especially doable if you have an experienced Cyber Security Team within your IT Department.
But if you don’t have an experienced team, even entering your self-assessment into the Supplier Performance Risk System (SPRS) can be extremely time-consuming, and if you do it incorrectly and/or you are audited, you have a lot to lose; not only could you potentially lose your contract, but you may even be liable for penalties of fraud via the False Claims Act (See our previous blog post regarding “United States, et. al., ex. rel. James Glenn v. Cisco Systems, Inc” and “United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., and Aerojet Rocketdyne, Inc,” both big cases where the companies were dishonest about NIST compliance and lost).
There are so many reasons to start taking your cyber security hygiene seriously, if you haven’t already. But we know that it’s complicated and not always very clear, so allow us to help clarify some of the information for you.
Do I Need to Complete the Self-Assessment?
According to Katie Arrington, the only companies doing business with the DoD who are exempt from the December 1, 2020 deadlines are those conducting micro purchases (purchases < $10,000) and Commercial Off-the-Shelf (COTS), which are items that are sold, leased, or licensed to the general public.
EVEN IF YOUR CONTRACT DOESN’T MENTION DFARS, if you in any way, shape or form handle, store, transmit, view, create or touch CUI, you will need to complete this self-attestment.
For more information, we strongly urge you to watch the webinar hosted by projectspectrum.io entitled “Cyber Circuits Essential CMMC News: Your Questions Answered.”
Also, it may help to read the DoD’s “Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76 and PGI Subpart 239.76.” (Please Note: The FAQs use “CDI” instead of “CUI” but ALL CDI is also CUI.)
Here are FAQs 4 and 5, regarding who needs to comply with DFARS:
- Q4: When must the requirements in DFARS clause 252.204-7012 be implemented?
- A4: The requirements in DFARS clause 252.204-7012 must be implemented when CDI is processed, stored, or transmits through an information system that is owned, or operated by or for, the contractor, or when performance of the contract involves operationally critical support. The contracting officer shall indicate in the solicitation/contract when performance of the contract will involve, or is expected to involve, CDI or operationally critical support. All CDI provided to the contractor by the Government will be marked or otherwise identified in the contract, task order, or delivery order.
- Q5: When and how should DFARS clause 252.204-7012 flow down to subcontractors?
- A5: DFARS clause 252.204-7012 flows down to subcontractors without alteration, except to identify the parties, when performance will involve operationally critical support or CDI. Them [sic.] contractor should consult with the contracting officer to determine if the information required for subcontractor performance is covered defense information and if it retains its identity as covered defense information which would require flow-down of the clause. Flow-down is a requirement of the terms of the contract with the Government, which should be enforced by the prime contractor as a result of compliance with these terms. If a subcontractor does not agree to comply with the terms of clause 252.204-7012 then CDI should not be on that subcontractor’s information system.
Katie Arrington has reiterated the fact that, even if it’s not in the contract, everyone doing business with the DoD who touches CUI (Prime, Sub, vendor, must comply with this new rule. Not to sound like a broken record, but knowledge is power.
For clarification, at 49:17-51:00, Arrington clearly states that everyone who works with the DoD has to self-attest via SPRS by December 1st, 2020.
And if you have a contract coming due, and you haven’t entered all of your information into SPRS, you will NOT be eligible for the contract. Additionally, they will be conducting audits to ensure that you are being honest in your self-assessments. They do not have the capacity to audit EVERY Prime, Sub or vendor, but with this database, they will be able to “hold your feet to the flames,” so to speak.
And if for any reason… say, you get hacked… and the DoD believes you may have been dishonest with them? SPRS will make it a lot easier for them to prove a case of fraud.
So while it’s true that you may be able to get away with skating by on an incorrect/false self-assessment (until it’s time to become CMMC certified), it comes with a really high risk.
How Does This Impact CMMC Compliance?
Speaking of CMMC, here’s where a lot of the confusion has come from.
As we have mentioned, the DoD expects everyone (save COTS and micro purchases) to be NIST 800-171 compliant, and they must enter their self-assessment in SPRS by the end of this month… BUT, most contractors are not expected to have to be CMMC Maturity Level (ML) 3 compliant; only ML 1. So therein lies the rub:
- NIST SP 800-171 is the basis of CMMC ML 3.
- NIST SP 800-171 is 110 security controls.
- CMMC ML 3 is the 110 controls + 20 more
If the vast majority of Primes, Subs AND Vendors only have to pass ML 1, which is significantly easier to pass than ML 3, then why does the DoD expect all their contractors to be NIST SP 800-171 compliant?
And the answer is simple: Because if a contractor has a contract, they already said they were compliant, and they were paid for it.
You do not necessarily have to implement the final 20 controls, but the other 110 are required, even if you are only expected to pass CMMC ML 1. Also, there is some talk that CMMC ML 1 won’t be around forever, and eventually, all contractors (and vendors) will be expected to pass a CMMC ML 3 audit.
In the past, it seems like there was a bit of a “wink wink, nudge nudge” around NIST expectations, where the government was like, “You are NIST compliant… Right (wink wink, nudge nudge)?” because why else would it be a self-attestment??
Whether that was reality, or if that was just the contractors’ view on it, the government is now saying that is most definitely NOT the way things are going to work any more, in relation to cyber security and its impact on national security.
They have paid their contractors to get NIST compliant. The contractors have taken the government’s money, and now it’s time to show your results.
Speaking of payment, now would be a good time to touch on that.
Recouping Your Costs
A common question is, “Is the government going to pay for CMMC compliance?”
I know we are mostly focusing on DFARS right now, but the two are definitely related because the answer is, “Kind of.”
If you have been a contractor or vendor and have a current contract, and are expected to be CMMC ML 3 compliant, the government will allow for the cost of the actual audit, as well as the cost of adding the 20 additional security controls to your cyber security portfolio… But that’s it.
Because it is assumed that you already have the original 110 security controls in place from NIST 800-171 – since you took the contract.
And they won’t pay for the costs up front; they are to be built into your contract and billed. So essentially, the government is paying for your cyber security measures, but they will not be double-charged for it.
How to Complete Self-Assessment in SPRS
You will be scoring yourself out of a possible 110; 1 point for each security control that you have in place. The DoD expects that since you are already compliant with NIST SP 800-171, it should only take half-an-hour, plus the 25 minutes it takes to upload the information to the SPRS, which requires the completion of 6 fields:
- System Security Plan Name
- CAGE code associated with the plan
- A brief description of the plan architecture
- Date of the assessment
- Total score
- Date a score of 110 will be achieved
The DoD estimates the total of the Basic assessment to cost the contractor less than $100, and you must provide 2 pieces of evidence for each control that you have attested to completing. If you have not implemented all security controls, you must include a Plan of Action and Milestone (POAM) for each one.
There is also a free tool at projectspectrum.io that you can use to help you, after you have signed up for a free Project Spectrum account.
If you are NIST compliant? This will be pretty easy. If you are not, but you have a seasoned IT Department, then they will likely be able to complete it. If you haven’t really done anything to address your cyber security, then we recommend that you contact a cyber security professional that specializes in compliance matters.
Key Takeaways
This new rule seems daunting… And that’s because, quite frankly, it is.
But try to look on the bright side; once you have completed NIST SP 800-171, you only have 20 more to go before you are able to pass CMMC ML 3. It also gives you a competitive advantage because many contractors are not ready to get CMMC certified any time soon..
Also, think of how secure you will be from cyber attacks! Hackers are getting more and more sophisticated with each passing day, and it’s estimated that up to 20% of all cyber victims do not come back from their attacks.
In conclusion, if you’re already DFARS/NIST compliant, this new Interim Rule won’t be a big deal. If you have a well-developed and experienced IT/Cyber Security Department, it also should not be too difficult. But if you are on the ground floor and don’t quite know how to reach the roof, it would be in your best interest to talk to an expert. Whether you speak with a specialist at Petronella Technology Group or anywhere else, just remember that national security is at stake here!
If you have any questions, feel free to give PTG a call at 919-422-2607, or you can schedule a free consultation online.