NIST and CMMC compliance readiness review

From the 31st of December 2020 contractors will be required to have up to date NIST SP 800-171 assessment result posted in SPRS.  From January 2021 the DoD will add CMMC certification requirements to new contracts.  In both cases contractors and their subcontractors must have up to date assessment results posted in the DoDs Supplier Performance Risk System (SPRS) if they wish to be awarded new DoD Contracts.

Compliance requirements

New contract award: From 1st December 2020 compliance will be required by DoD contractors and subcontractors to DFARS clauses 252.204-7012, 252.204-7019, 252.204-2020 and 252.204-7021.  Contractors and subcontractors will input their compliance results to the DoD SPRS system.  DoD Contracting officers will be required to evaluate those inputs to the SPRS system and contractors which do not have upto date assessments input will not be awarded new DoD contracts.

Legal sanctions:  The Interim Final Ruling (IFR) assumes that companies who were contracted by the DoD and where DFARS Clause 204.252-7012 was applied, should already comply with 110 NIST SP 800-171 security practices.  Compliance was required from December 2017 and with contractors self attesting to their implementation of the associated 110 cyber security practices.  Flowing these requirements by contract down to their subcontractors.

Under the DoD Assessment Methodology (DAM) defined in the new ruling contractors and subcontractors are required to evaluate their current compliance to NIST SP 800 – 171.  Publish this ‘basic’ assessment in SPRS and potentially undergo separate DoD ‘medium and high-level’ assessments.  Under the CMMC requirements in the new ruling contractors and subcontractors will be required to submit a certificate of CMMC compliance.  Issued following an independent assessment by accredited assessors, from accredited assessment organisations and publish these results in SPRS.

When DAM results are submitted to SPRS and when CMMC accreditation assessments take place.  There is the potential to challenge deviations from the original DFARS 252.204-7012 self-attestations results.  Contractual commitments taken on by contractors and flowed down to subcontractors when NIST requirements were added to contracts by the DoD, with a expectation of compliance from December 2017.

Moving forward:  It is important that contractors and subcontractors assess and manage their current compliance to NIST SP 800-171, applying 110 cyber security practices.  CMMC compliance requires contractors to apply between 15 and 171 cyber security practices across 5 maturity levels.  Levels which will be defined by the DoD on a contract by contract basis based upon the Controlled Unclassified Information(CUI), from CMMC level 1 to 5.  Requirements which must be flowed down through contracts from contractors to subcontractors, for the protection of CUI and Federal Contract Information (FCI).

It is important that contractors and subcontractors consult their General Council with respect to the legal consequences of the Interim Final Ruling and the appropriate DFRAS compliance.