DFARS and CMMC: Protecting the DIB and DoD supply chain
Defense industry cybersecurity regulation
Cyber is the biggest non-financial risk faced by nation states and their governments outside of climate change and global systemic risks such as COVID 19. The political and economic impacts of cyber-attacks are broad and deep when targeted at Critical National Infrastructure (CNI). Cyber-attacks have become a geopolitical weapon that can impact the security of nations, their critical infrastructure and weapon systems. Its impact was amply demonstrated in 2021 and 2022 following cyber-attacks on major US businesses including the Colonial Pipeline, JBS Meat, SolarWinds and Kaseya, and by the effect on US supply chains and global organisations of attacks on Microsoft, Nvidia, and Samsung by internationally focused hacker group, Lapsus$. The impact of these attacks led to new legislation: the introduction of US Presidential Executive Order 14017 (February 2021), Securing Americas Supply Chains, and 14028 (May 2021), Improving the Nations Cybersecurity but the threat remains.
The frequency, complexity and severity of cyber-attacks is increasing. Ransomware attacks were the most significant cyber threat vector in 2021 and these, alongside cyber threats created by geopolitical tensions, are predicted to be one of the largest non-financial threats that organizations faced in 2022. Cyber-attacks are predicted to remain a significant issue in 2023, driving the need for US and European Union regulators to continue developing further cybersecurity risk management regulations. Cyber regulations that currently include EU NIS 2.0, EU DORA, the White House Office of the National Cyber Director (ONCD) and The Securities and Exchange (SEC) proposal. In addition to the U.S DoD Defense Federal Acquisition FARS/ CMMC program.
Defense Federal Acquisition Regulatory Supplement (DFARS)
DFARS is a comprehensive suite of regulations setting out the expectations for the procurement and supply of products and services to the US military. Within these regulations is DFARS 48 CFR § 252.204-7012 (Safeguarding covered defense information and cyber incident reporting), defines the requirement to implement NIST (SP) 800 – 171 (currently revision 2). NIST SP 800-171 is a comprehensive set of 110 cybersecurity practices for the protection of Controlled Unclassified Information (CUI). The 110 cybersecurity practices detail over 300 control objectives for the protection of CUI. CUI that is described in the U.S National Archives
Defense procurement – Safeguarding Covered Defense Information
The United States Department of Defense (DoD) plans significant investment on weapons systems such as aircraft, ships, ground fighting vehicles and satellites and IT systems and capabilities to be delivered through prototypes or procurement pathways. Activities that create, modify, store and transmit data and information across many diverse platforms, that reside in DoD suppliers across the Defense Industry Base (DIB). If the covered contractor or subcontractors is delivering products or services under DFARS 252.204-7012 they must implement NIST SP 800-171 on covered contractor information systems that processes, stores or transmits ‘covered defense information’ that is Controlled Unclassified Information (CUI).
‘Covered defense information’ means unclassified ‘controlled technical information‘ or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies.
Covered ‘Controlled technical information‘ means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24.
Adequate security requires covered defense companies to implement NIST SP 800-171 to the ‘Covered Defense Systems’ that create, process, store or transmit ‘Covered Defense Information’. Covered Defense Information that unclassified controlled technical information as described in the CUI registry.
Cybersecurity Maturity Model Certification (CMMC)
Under DFARS 252.204-7012 regulations DIB contractors and their subcontractors are expected to comply to NIST (SP) 800-171 practices(31.12.2017). However DFARS 252.204-7012 was not being complied to by the DIB, highlighted by various Government Accountability Office (GAO) and DoD inspector General (DoDIG), concluding in general weapon system were both not cyber secure and the DIB was not adhering to the requirements defined in DFARS 252.204-7012. To address this the DoD raised a formal DFARS case in 2019 – D041 ‘Strategic Assessment and Cybersecurity Certification Requirements’. Initiating the process to implement a methodology for assessing DoD contractor’s compliance against NIST (SP) 800–171, the protection of Controlled Unclassified Information (CUI) and the reporting of cyber incidents.
In November 2021 the DoD revised CMMC 1.0 issuing CMMC 2.0, publishing an Advanced Notice of Proposed Rulemaking (ANPR) on the 17th November 2021. Significantly changing CMMC 1.0, reflecting concerns raised by industry.
DFARS 252.204-7012 (regulation) and CMMC 2.0 (legislation) – Scope and applicability
DFARS 252.204-7012, 7019 and 7020 (enforceable regulation)
DFARS 252.204-7012 that came into force on the 31st of December 2017 and remains in place, requiring impacted organizations to implement NIST SP 800-171 cyber security practices, self attest to compliance, report cyber incidents to the DoD and requires contractors to flow down the DFARS 252.204-7012 clause to their subcontractors. On the 30th November 2020 the CMMC interim final ruling introduced DFARS 252.204-7019 and DFARS 252.204-7020.
DFARS 252.204-7019 and 7020 were added to DoD procurement regulations in 2020
- DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) – Contractors and subcontractors must submit a basic NIST SP 800 – 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
- DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
Contractors will not be awarded DoD contracts and should not award subcontractors unless a NIST SP 800-171 score is held in SPRS.
CMMC 2.0 (legislation)
CMMC 2.0 addresses concerns raised by industry and the oversight and assurance gaps within CMMC1.0 and DFARS 252.204-7012. For the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) and incident reporting. As specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21. The CMMC 2.0 proposed ruling defines 3 levels of cybersecurity compliance to be achieve by defense contractors. Each level details the required number of cybersecurity practices that must achieve based upon a given DoD contract.
- Level 1. Requires self-attestation against 17 NIST SP 800-171 cybersecurity practices.
- Level 2. Requires compliance against NIST SP 800-171 with either self-attestation or a third part assessment. Dependent upon the data being processed stored or transmitted by the contractor or subcontractor.
- Level 3. Will require adherence to NIST SP 800-171 and NIST SP 800-172 practices and an assessment completed by the DoD.
CMMC 2.0 will be applicable to DoD contractors and subcontractors, following existing DFARS 252.204-7012 (m) ‘flow down’ requirements from contractors to subcontractors. Contractors and subcontractors will have to confirm that they meet the cybersecurity maturity level defined by the DoD within the Request For Proposal (RFP), submitting compliance to the DoD. The DoD will only accept CMMC certificated issued by accredited CMMC assessor before contract award.
It will take between 9 and 24 months to complete the legislative process to include CMMC 2.0 in DoD contracts. However DFRAS 252.204-7012, 7019 and 7020 are applicable and the implementation of NIST SP 800-171 is required by DoD contractors and subcontractors. Who must continue to input their compliance scores tot he DoDs Supplier Performance Risk System (SPRS) ahead of contract award.