The Department of Defense (DoD) released a long awaited interim rule on contractor cybersecurity requirements with immediate impacts for defense contractors of all sizes. See Defense Federal Acquisition Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), 85 Fed. Reg. 61505 (Sept. 29, 2020) (to be codified at 48 CFR Parts 204, 212, 217, and 252). The interim rule creates a two-pronged approach for full Cybersecurity Maturity Model Certification (CMMC) compliance by October 2025.
First, contractors must submit NIST SP 800-171 assessments to the Supplier Performance Risk System (SPRS) to be eligible for any future contract or task/delivery order award. New contracts or task/delivery order awards will also require contractors to grant the Government access to their facilities to perform higher level NIST SP 800-171 assessments. This requirement is related to but separate from CMMC.
Second, the interim rule will allow contracting officers to include CMMC requirements in future contracts with approval from the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). All DoD contracts and subcontracts will require CMMC by October 2025.
Effective Immediately: Contractors Must Have a Valid NIST SP 800-171 Assessment to Win Contracts
The interim rule requires contracting officers to include newly-promulgated DFARS 252.204-7019 and 252.204-7020 in all future solicitations and awards. See DFARS 204.7304(d), (e). The new rules applies to all contracts except to those solely for the acquisition of commercial off the shelf (“COTS”) items.
DFARS 252.204-7019 is a solicitation provision that notifies contractors they will only be eligible for award if they have a current NIST SP 800-171 assessment registered in SPRS. See DFARS 252.204-7019. The assessment must: (1) have been within the past three years; (2) follow the DoD assessment methodology available on the OUSD(A&S) website; and (3) be reported according to the appropriate method detailed in DFARS 252.204-7020(d).
DFARS 252.204-7020 is a contract provision that requires a contractor to "provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment…if necessary." See DFARS 252.204-7020. The assessment clause outlines the procedures for the NIST SP 800-171 assessment. See DFARS 252.204-7020(d). There are three assessment levels: Basic, Medium, and High. Contractors are required to perform the Basic level self-assessment before contract award; the Government will perform Medium and High level assessments as resources permit. See Id. If contractors disagree with the Government’s assessment, they will have the option to rebut and supplement the findings before they are posted to SPRS. See DFARS 252.204-7020(e).
Subcontractors are not exempt from the NIST SP 800-171 assessment requirement. See DFARS 252.204-7020(g). DFARS 252.204-7020 requires contractors to verify that subcontractors have a current assessment before awarding any "subcontract or contractual instrument" that is subject to NIST SP 800-171 under DFARS 252.204-7012. See Id. The clause also requires subcontractors to include the assessment and access requirement in contracts with second-tier subcontractors if those subcontractors are covered under 252.204-7012.
Only NIST SP 800-171 Assessment, Not Perfection, Is Required
What the interim rule does not require is just as important as what it does require. DFARS 252.204-7019 and DFARS 252.204-7020 require contractors and subcontractors to have assessments on file with SPRS, but contractors are not required to obtain a certain score or level of assessment. This comports with the interim rule's stated purpose of providing insight into industry cybersecurity practices. See 85 Fed. Reg. 61505, 61508.Barring a solicitation-specific provision to the contrary, contractors and subcontractors only need to have a current assessment - regardless of score - in order to be considered for awards between now and when CMMC goes into full effect.
CMMC Will Be Phased In By October 2025
The interim rule’s CMMC clause, DFARS 252.204-7021, requires contractors to have a current CMMC certificate at the level required by the solicitation at the time of award and to maintain that level for the duration of the contract. See DFARS 252.204-7021. The clause goes on to mandate the inclusion of the entire clause in all subcontracts, including the flowdown provision. See Id. This means that subcontractors will be contractually obligated to include the CMMC clause in their contracts with second-tier subcontractors as well, and those second-tier subcontractors will similarly be required to flow down the requirement to third-tier subcontractors, continuing down to all tiers. See 85 Fed. Reg. 61505, 61505-06.
DoD contracting officers will need approval from the Office of the Under Secretary of Defense for Acquisition & Sustainment to include the CMMC clause in solicitations and awards until September 30, 2025. See DFARS 204.7503. Afterwards, the clause will be mandatory in all DoD contracts. See Id.
SPM Advises Contractors Submit Self-Assessments and Proceed With CMMC Compliance With All Due Speed
Because the NIST SP 800-171 clauses only require a NIST SP 800-171 self-assessment and not a certification of complete compliance or a certain score, contractors should complete a self-assessment immediately to remain eligible for potential business opportunities. The self-assessment also provides a valuable opportunity to identify shortcomings in cybersecurity. However, contractors must make the self-assessment diligently, as inaccuracies could lead to potential False Claims Act liability.
Contractors should proceed with bringing their cybersecurity practices up to the most appropriate CMMC standard as quickly as financially reasonable. The CMMC clause will begin to appear in more solicitations and contracts as October 2025 approaches.
For additional questions regarding CMMC cybersecurity assessment requirements for federal contractors, please contact:
The authors acknowledge the assistance of Amanda C. DeLaPerriere with the research and drafting of this article.