The Defense Department released one of the last major pieces to complete the Cybersecurity Maturity Model Certification (CMMC) program puzzle.
The Pentagon issued an interim rule under the Defense Federal Acquisition Regulations on Sept. 29 to add more clarity around the implementation timeline and around the requirements contractors will have to adhere to over the next five years.
One surprise among observers is the new requirements for vendors working at medium or high security levels to undergo an assessment by the government of how they comply with the standards outlined in Special Publication 800-171 from the National Institute of Standards and Technology.
“The assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (basic, medium and high), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment,” the interim rule stated. “A basic assessment is a self-assessment completed by the contractor, while medium or high assessments are completed by the government. The assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”
Vendors must upload the results of these assessments to the Supplier Performance Risk System (SPRS) website where contracting officers and others can verify the contractor’s 800-171 evaluation is not more than three years old.
DoD will roll out the CMMC program over the next five years, but the interim rule takes effect on Nov. 30 and DoD will accept comments through Nov. 22.
Unexpected changes to NIST 800-171 assessments
The requirements for 800-171 are probably the biggest surprise or unexpected part of this long-awaited rule, according to experts.
Eric Crusius, a government contracts attorney and partner with Holland & Knight, said the assessments seem redundant with CMMC, and may just be a stop gap until DoD can roll the standard out over the next five years.
“It appears that there are additional steps contractors have to take as they have to score their compliance with 800-171, go through 110 controls and determine how many they are compliant with,” he said. “I thought the approximate costs of compliance with 800-171 and the number of companies seem to be underestimated. The burden on contractors to get these 800-171 reviews right will be much more than DoD thinks.”
DoD estimated that for a basic assessment the average contractor would spend just under $50 and another $25 to put the information on the SPRS portal for a total of about $75.
Crusius said DoD seems to miss the point that any assessment submitted to the government will require more time from senior leadership, therefore increasing the cost to the company.
John Weiler, the executive director and co-founder of the IT Acquisition Advisory Council and a former CMMC Advisory Board member, said it’s disappointing DoD put out the DFARs notice as an interim final rule, especially as the impact on small firms is real.
“Even though it took 89 pages to explain the new rule, little has really changed, retaining the role of the Defense Contract Management Agency (DCMA) in verifying 800-171 compliance, and continuing to allow self-attestation by contractors,” he said. “Though small businesses were referenced many times, we found no details how DoD will account for the significant impact compliance will have on a community struggling with COVID.”
26,000 small firms could be impacted
In the interim rule, DoD estimated more than 26,000 small businesses would be impacted by this new rule at the basic assessment level.
“The requirement for the basic assessment would be imposed through incorporation of the new solicitation provision and contract clause in new contracts and orders. As such, the requirement to have completed a basic assessment is expected to phase-in over a three-year period, thus impacting an estimated 8,823 small entities each year,” the interim rule stated. “It is expected that the medium and high assessments, on the other hand, will be conducted on a finite number of awardees each year based on the capacity of the government to conduct these assessments. DoD estimates that 200 unique entities will undergo a medium assessment each year, of which 148 are expected to be small entities. High assessments are expected to be conducted on approximately 110 unique entities each year, of which 81 are expected to be small entities.”
Crusius said it would serve both DoD and its vendors well if the estimates included more than just achieving compliance, but maintaining compliance too.
He said the work the FAR Council did with the Section 889 rule prohibiting the use of certain Chinese made telecommunications equipment was a good example of the government estimating costs to comply with the rule.
No mention of reciprocity
But it’s more than just costs, the rule also leaves questions around the requirements prime contractors will have to flow down to subcontractors.
Crusius said it’s clear that subcontractors will have to meet CMMC and 800-171 requirements, but there was little detail for how to determine what is the right level of certification required for other than prime contractors.
“The interim rule doesn’t clearly state, but seems to insinuate that the prime assigns the CMMC level to their subcontractors. What happens if the government disagree with that determination? That could be an area of risk for the prime,” he said. “There also is little about how the entire system works if a contractor disagrees with the assessment and how do you account for differences of opinions? The rule does say the CMMC-AB will have the final say if there are any disputes, but what recourse does a contractor have if they still disagree? There are larger questions not necessarily answered in the rule, but it would’ve been nice if there was some discussion. There seems to be a lot of discretion in 800-171.”
Weiler also pointed out that the lack of clarity around risk determination was missing from the interim rule.
He said the CMMC-AB developed a risk assessment guide that the rule makers should’ve leaned on.
Gordon Bitko, the former FBI chief information officer and now senior vice president of policy and public sector lead at the IT Industry Council, said the association is disappointed that DoD didn’t put out the regulation as a proposed rule.
“To maximize the CMMC’s effectiveness while reducing cost and burden to the industrial base, we recommend that DoD provide a standardized approach to determining appropriate levels for each procurement, allow for reciprocity with other federal cybersecurity standards, and take action to protect assessment results,” Bitko said in a statement.