As the U.S. Department of Defense seeks to secure its supply chain, cybersecurity is front and center. A recent DFARS interim rule implements a DoD Assessment Methodology for NIST SP 800-171. The DFARS interim rule introduces a couple new requirements for defense suppliers that need to implement NIST 800-171 (i.e., whose contracts include DFARS 252.204-7012).
There are three essential areas that defense supplies should focus on:
1) A New Assessment Methodology:
The assessment methodology provided by DoD includes, for the first time, a scoring component. The highest score is 110, which reflects full implementation of all 110 controls in NIST 800-171. If a requirement is not fully implemented, the score is reduced – in some cases by more than the single point given for its implementation. (Yes, it’s possible, at least theoretically, to have a negative score!) Partial implementation is generally not credited, although some requirements do include built-in scoring for partial implementation. There are a number of complexities in the scoring that relate to five different configurations. These complexities are defined in Celerium’s Assessment Solution referenced below.
There are three levels of assessment that result in varying degrees of confidence in the resulting score based on the depth of the assessment.
Basic assessment is simply a self-assessment performed by the contractor and results in a “low” level of confidence.
Medium assessment includes a review of the contractor’s system security plan (SSP) by DoD personnel and results in a “medium” level of confidence.
High assessment includes an on-site or virtual assessment by DoD personnel, and results in a “high” level of confidence.
All three levels start with a basic assessment performed by the contractor.
II) November 30 Deadline:
A significant update is that defense suppliers now need to provide a current (i.e., not older than three years) NIST 800-171 SP Assessment and post it to the DoD’s Supplier Performance Risk System (SPRS). The assessment must be on record prior to a contract award. This applies to new contracts as well as options on existing contracts. The interim DFARS rule goes into effect on November 30, 2020, but defense suppliers should post their assessment as soon as possible. If contractors have existing contracts they want to renew by say December 10, then they may need to have their assessment reviewed and approved by DoD prior to that date.
III) Subcontractor compliance:
As in the past, contractors continue to be subject to the flow-down requirement. However, this now means that subcontractors may also have to complete the new scoring-based assessment for NIST 800-171 and submit it to DoD through the SPRS portal.
What should contractors do to address this DFARS interim rule?
Bottom line: if you have existing contracts you wish to renew after November 30, 2020, then you will need to ensure that both your company and your suppliers undergo the new NIST 800-171 assessment mechanism and achieve compliance as determined via DoD – at a minimum posting their self-assessment score on SPRS.
Celerium offers a free NIST 800-171 assessment tool to help contractors facilitate their assessments. Contractors can use this tool themselves, and can also share it with their subcontractors as a way to help ensure their subs are in compliance per the flow-down requirement.
A webinar on November 10 hosted by Celerium, and co-sponsored by Steptoe & Johnson LLP, will provide an overview of the interim DFARS rule as well as provide discussions on protecting sensitive CUI data on on-prem infrastructure, in the cloud, and in Office 365. Participants include John Ellis of the Defense Contract Management Agency, which covers the application of cybersecurity contract requirements and policies supporting NIST 800-171 audits, as well as legal experts from Steptoe & Johnson LLP.