Introduction
Key Takeaways
In September 2020, the U.S. Department of Defense (DoD) announced an interim Defense Federal Acquisition Regulation Supplement (DFARS) rule to enhance existing DFARS regulations.
At the heart of the new rule are issues with inconsistencies regarding how organizations self-attest to DFARS compliance. While DoD hopes to resolve this issue by implementing new requirements through the Cybersecurity Maturity Model Certification framework, the rollout and implementation is taking longer than anticipated, so the interim rule is intended to shore up gaps in the meantime.
Through the interim rule, all non-federal organizations that process, store, or transmit controlled unclassified information (CUI) while working with federal organizations such as DoD, NASA, and others, must adopt a new DoD assessment methodology to ensure they meet DFARS mandates and NIST 800-171 requirements. It went into effect Dec. 1, 2020, so all contractors and subcontractors are required to submit a new self-assessment into the DoD’s Supplier Performance Risk System (SPRS) by Nov. 30, 2020, as a prerequisite to submitting bids for new contracts or renewing existing contracts with the DoD This applies to both prime contractors and subcontractors.
Before we dive into specifics of the new rule and the assessment methodology, let’s take a look at how we got here.
The Drive to Protect CUI
In December 2002, the U.S. government adopted the E-Government Act focused on information security and its role in protecting U.S. national security interests. Part of the act, Title III, is called the Federal Information Security Management Act (FISMA), which outlines how federal agencies should develop, implement, and document information security programs, including information accessed by other agencies and contractors.
Through FISMA, the National Institute of Standards and Technology (NIST), became responsible for creating standards to guide development of these information security programs. As a result, NIST established minimum security guidelines for federal information and federal information systems outlined in Federal Information Processing Standards (FIPS) 200, and NIST 800-53, which covers security controls and procedures for federal information systems and organizations.
In May 2008, President George W. Bush issued a memorandum to all executive department heads and federal agencies. The Memorandum for the Designating and Sharing of Controlled Unclassified Information outlines what constitutes CUI and how agencies can share it.
Essentially, CUI is sensitive but unclassified information. Back in 2008, cyber breaches were on the rise, and government information, like other data used across businesses and by individuals, was in the crosshairs for attackers.
The previous year, in 2007, there were a “record number of data breaches” for the U.S., with millions of exposed records. The largest was a data breach with TJX, a company that owns discount stores, where an estimated 94 million records were exposed.
In 2008, when President Bush issued the CUI memorandum, data breaches exposed more than 35 million records, a trend that’s unfortunately continued. In one recent report, breaches may have exposed as many as 36 billion records in 2020.
And it’s a trend that, by most estimates, will only continue to track upward. One report estimates that in 2021 cybercrimes will likely cost more than $6 trillion globally, tracking upward to more than $10 trillion by 2025.
CUI Framework
Bush’s memorandum established a CUI framework, which categorized CUI procedures and dissemination controls, and outlined reporting measures for exposures.
In 2010, President Barack Obama expanded CUI controls with Executive Order 13556, noting previously that agencies used ad hoc policies and procedures to secure and control CUI. Because of the inconsistencies, President Obama moved for more clearly-defined measures.
As a result, the National Archives took charge of maintaining a national CUI Registry, which serves as a repository for federal guidance on CUI policies and practices.
Other measures soon followed, including Federal Acquisition Regulation (FAR) 52.204-21, which outlines basic safeguarding of covered contractor information systems, and DFARS 252.204-7012, which outlines safeguarding of covered defense information and reporting of cyber incidents.
FAR and DFARS set requirements for government acquisition and contract processes. Both of these measures specify that if you’re a DoD contractor or subcontractor, you are expected to meet specific controls to protect CUI. And this is where NIST 800-171 comes into play.
NIST 800-171
As a result of Executive Order 13556, NIST began working on standards for non-federal agencies that handle CUI. Essentially, its complementary to NIST 800-53. The resulting work is NIST 800-171, which outlines security standards for contractors and subcontractors and other non-federal organizations that transmit, process, or store CUI as part of their working relationships with federal agencies.
NIST 800-171 outlines five core cybersecurity areas: identify, protect, detect, respond, and recover. These core areas serve as a framework for developing an information security program that protects CUI and mitigates cyber risks. NIST 800-171 has 110 security controls corresponding to 14 primary areas ranging from access control to system and information integrity.
Unlike other cybersecurity frameworks, NIST 800-171 does not require a formal certification. Instead, organizations that access CUI must self-attest to meeting basic security standard for CUI protection. All contractors and sub-contractors have been subject to NIST 800-171 compliance since 2018. However, it quickly became apparent that the lax practices for self-attestation resulted in no real standardization of practices.
In an attempt to streamline these processes and ensure organizations effectively meet CUI control standards, the U.S. government created the Cybersecurity Model Certification (CMMC) program, and released its first version in January 2020, with an updated version in March.
CMMC
CMMC draws on best practices of NIST 800-171, as well as ISO 27031, and ISO 27032. It establishes five CMMC certification levels for all contractors wanting to bid on or renew contracts with federal agencies. It also includes certification requirements for subcontractors.
Each CMMC certification level adds additional controls, starting at Level 1, which has 17 control sets, all the way up to Level 5, which has 171 controls. The purpose of these certification levels is to ensure all contractors meet compliance specifications to compete for Requests for Proposals (RFPs) and Requests for Information (RFIs).
No longer a self-attestation practice, to become CMMC certified, agencies must successfully complete an assessment from a CMMC Accreditation Body (CMMC-AB) approved certified assessor (CA) or certified third-party assessment organization (C3PAO). By 2025, all DoD suppliers must have a CMMC certification at the appropriate level set in the competing RFI or RFP. A CMMC-AB certification is valid for three years.
Originally, the goal was to have CMMC certifications moving sometime in 2020, but a variety of issues, including delays in certifying approved assessors, have pushed this out. That’s why DoD issued the interim DFARS rule at the end of September 2020.
While POA&Ms are accepted for this assessment process, they will not be applicable to CMMC certification. CMMC will build off of the DoD assessment methodology, and will further provide scalable certification levels that verify cybersecurity program maturity.
DoD Assessment Methodology
As organizations await official CMMC certification clarity, to address concerns with previously accepted NIST 800-171 self-attestation practices, and to enhance information security within the Defense Industrial Base (DIB) sector, DoD established new assessment guidelines within the NIST SP 8001-17 DoD Assessment Methodology.
The most current assessment version is v1.2, which sets standards for strategic assessments of NIST 800-171. Unlike the old pass-or-fail approach for self-assessments, the new assessment methodology derives a scoring structure based on the full 110 NIST 800-171 controls. If all controls are met, a contractor can earn the highest score of 110. For every unmet control, points are subtracted from that 110 total.
It’s interesting to note here that an organization can actually end up with a negative score, based on missing weighted requirements. That’s because even though NIST 800-1717 doesn’t prioritize requirements, some requirements weigh heavier on security than others, so within the assessment, they’re weighted appropriately.
For example, let’s say there is a security requirement that if your organization doesn’t adopt it, you’ll be at a much higher risk of a breach, therefore the CUI is at greater risk. That requirement is weighted heavier than a less critical requirement.
Contractors that score less than 110 must create a Plan of Action and Milestones (POA&M) that describes plans to address unmet security requirements , including interim risk mitigation and anticipated date for remediation to meet the 110 milestone.
While POA&Ms are accepted for this assessment process, they will not be applicable to CMMC certification. CMMC will build off of the DoD assessment methodology, but will further provide scalable certification levels that verify cybersecurity program maturity.
To read more about scoring protocols and weighted measuring, check out the DoD Scoring Methodology, section 5.
Assessment Levels
The assessment methodology consists of three levels, which establish a level of confidence from assessment results:
- Basic: At the basic level, the contractor completes a self-assessment, which includes a review of your organization’s System Security Plan (SSP). The self-assessment should adhere to NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information” and Section 5 and Annex A of the assessment methodology protocols. Because this review is a self-generated score, it results in a “low” level of confidence.
- Medium: At the medium level, the DoD completes assessment of contractor’s SSP, resulting a medium level of confidence.
- High: To achieve a high-level of confidence, the DoD completes on-site or virtual assessment of the contractor, including examination, verification, and demonstration of SSP and implementation of NIST 800-171 requirements. To begin the process of earning a high level of confidence, the contractor must first do a basic self-assessment and then submit that to DoD.
Reporting Assessment Results
Once you’ve achieved an assessment level (either by self-assessment for basic, or DoD assessment for medium or high) these scores should be posted within the DoD’s Supplier Performance Risk System (SPRS). The interim DFARS rule specifies all contractors and sub-contractors post a current assessment into SPRS by Nov. 30, 2020, as a prerequisite to submitting bids for new contracts or renewing existing contracts with the DoD This applies to both prime contractors and subcontractors. Prime contractors should ensure sub-contractors meet the reporting requirement before awarding a sub-contract.
Contractors failing to post assessments into the SPRS will miss opportunities to win new contracts or renew existing ones. Contractors must also maintain the assessment level for contract duration.
Contractors should anticipate completing this type of assessment once every three years or whenever there are significant changes in security practices, risks, or security-related events. Prime contractors also retain responsibility for ensuring subcontractors also meet compliance requirements.
Unlike previous self-assessment practices for NIST 800-171, contractors can anticipate increased audits resulting from the DoD assessment methodology. The DoD will want to periodically evaluate contractors to ensure that they’re in compliant with the requirements and their controls meet what’s outlined in their self-assessment score.
The Big Picture
These regulations and assessment methodologies are not meant to duplicate processes. Instead, they are complementary and build off one another.
- You can use NIST 800-171 to develop, implement and manage your information security program.
- The DoD self-assessment will measure how well you’re doing and enable you to complete for RFIs and RFPs.
- The DoD higher level of assessment builds cybersecurity confidence and prepares you to resolve security gaps for CMMC certification.
- The CMMC certification enables you to compete for more complex government contracts and demonstrates to federal agencies you are taking the right steps to ensure CUI remains safe while it’s in your hands.
To learn more about how all of components build off one another, check out the Federal Register’s, “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041).”
Pulling the Pieces Together
Looking at this all on paper (or here on a screen), may feel overwhelming. How can you get a big picture view of how it all fits together? How can you quickly see what you need to implement, how you’re doing on what’s in place so far, and where you need to go next?
If you’re using spreadsheets or document depositories, you’re probably going to struggle to keep up. Likewise, these processes make it difficult—sometimes impossible—to cull reports for insight. And they create additional burdens because it’s harder to communicate where you are and where you need to be (and what resources and support you need) upward to your executives and key stakeholders.
Apptega can help. Whether you’re starting out and creating your NIST 800-53 framework, preparing for a self-assessment, or getting ready to have a CMMC certification audit, you can manage all the moving pieces—from a granular level up to a comprehensive, clear picture—right in Apptega’s easy-to-understand dashboard.
And, with Apptega’s intelligent mapping tool, Harmony, you can crosswalk NIST 800-171 to CMMC to move the needle closer to certification. Here’s the story of how one DoD contractor used Apptega to complete their CMMC readiness preparation, beginning with their NIST 800-171 assessment..
If you’d like to know more about how you can prepare for CMMC certification, which is where all of these requirements are now leading, check out our on-demand webinar, “CMMC Certification: Tips for Preparation.” Have questions about any of the other steps–from designing your information security program, to using a security framework, from audit preparation to audit success—Apptega is here for you. Contact Us today with questions or request an Apptega demo to see how easy it is to put it to work for you.