Department of Defense DFARS Interim Rule
On September 29th 2020, the Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARS) interim rule which was titled “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)”. The new rule was highly anticipated, as it was to address the new Cybersecurity Maturity Model Certification (CMMC) that was released earlier this year and discuss the DoD’s implementation of the CMMC in the Defense Industrial Base (DIB). The interim rule added the following contract clauses:
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.
2. 252.204-7020 NIST SP 800-171 DoD Assessment Requirements.
3. 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.
Many people were shocked to learn that the new DFARS interim rule also added two new cybersecurity contract clauses on top of the CMMC clause, that will affect new contracts starting November 30th, 2020. There has been a lot of talk about the new interim rule and its requirements, as well as misinformation about the new rule. We want to assure you, the new interim rule is not as scary as it sounds or as some people are making it out to be. With that being said, let’s take a closer look at the new interim rule.
We will only be looking at the contract clauses 252.204-7019/7020 in this post. We will discuss the CMMC clause (252.204-7021) in a future post. If you want to learn more about the CMMC now, please check out this video where we introduce and explain the CMMC in detail: https://www.youtube.com/watch?v=1CKjn5ztXCs
New DFARS Requirements
The interim rule also added the following contract clauses: 252.204-7019 “Notice of NIST SP 800-171 DoD Assessment Requirements” and 252.204-7020 “NIST SP 800-171 DoD Assessment Requirements”. These two contract clauses have gone into effect starting November 30th, 2020, and unfortunately, there has been a lot of misinformation being spread about these two clauses. Please read below for an in-depth overview of everything that you should be aware of regarding the two new DFARS clauses 252.204-7019 and 252.204-7020.
DFARS 252.204-7019 & DFARS 252.204-7020 Requirements:
In order to be considered for contract award for NEW contracts after November 30th, you must have completed a current NIST SP 800-171 DoD Basic Assessment no more than 3 years ago and have it uploaded to the SPRS (Supplier Performance Risk System).
The DoD Basic Assessment is a self-assessment using the NIST SP 800-171 DoD Assessment Methodology and scoring system provided by the DoD. If you are unfamiliar with the NIST SP 800-171 Assessment Methodology, you can read it here: https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf
You must also provide access to your facility, systems, and personnel for the government, if they do choose to conduct a medium or high NIST SP 800-171 DoD Assessment (DFARS 252.204-7020).
One of the requirements for both DFARS clauses is that the contractor must upload some basic information about their System Security Plan (SSP) and their POA&Ms in the SPRS. The SPRS can be found here: https://www.sprs.csd.disa.mil/
You will need to provide the System Security Plan name, provide the CAGE (commercial and government entity program) code that is associated with the system security plan, give a brief description of the system security plan, date of the assessment, total score (out of 110) and the date that you will achieve a score of 110 by. All of this information will be used when submitting your DoD Basic Assessment to the SRPS or when sending your DoD basic Assessment via encrypted email to firstname.lastname@example.org (please be aware, some people have had issues submitting their Basic Assessment this way).
Who This Applies to:
Both of these clauses will ONLY apply to contractors that have the current 252.204-7012 “Safeguarding covered defense information and cyber incident reporting” clause in their contract (all of these contracts/solicitations have this clause, as it is required in the flow-down of their subcontracts) AND the contractor handles (stores, processes, or transmits) CUI. CUI should be identified in the contract. If you have questions about you receiving or creating CUI, you should contact the contracting officer or the organization you are contracted with, and ask for guidance on the information you currently receive and handle.
This only applies to new contracts after November 30th, 2020. However, existing contracts MAY receive these clauses through modifications or extensions of their contracts.
The government is not providing medium and high NIST SP 800-171 DoD assessments to every contractor and subcontractor. Only a select few hundred will need to undergo medium and high assessments per year.
What is the Objective:
The reason for all above requirements is to eventually become CMMC certified for CMMC level 3 (the CMMC maturity level that handles CUI). The CMMC will be rolled out over the next few years until September 30th, 2025. All contracts are expected to have the CMMC after that date.
If you DO NOT receive, handle, or create CUI, then you are not required to follow the DFARS 252.204-7019 & DFARS 252.204-7020 clauses, and you’re not required to upload your NIST SP 800-171 DoD Basic Assessment summary to the SPRS at this time. If a contractor has reached out to you requesting you to upload a score to the SPRS, but you do not receive, handle, or create CUI, then you should explain this to them and inform them that you do not need to meet the requirements from DFARS 252.204-7019/7020.
If you DO receive, handle, or create CUI for a contractor or the DoD, then you must comply with 252.204-7019/7020 for any new contracts or current contract if they are modified. This means you must upload all appropriate materials related to these clauses to the SPRS or send your Basic Assessment via encrypted email to email@example.com. Your Basic Assessment does not need to be uploaded to the SPRS until time of contract award.
If you DO NOT KNOW if you receive, handle, or create CUI, you should reach out to your contracting officer or the prime contractor and ask them for clarification on if you are receiving, handling, or creating CUI for the DoD or prime contractor.
You are a company that is a sub-contractor that provides a product to a prime contractor of the DoD. The prime contractor has sent you a letter, stating that you must comply with DFARS clauses 252.204-7019/7020 to bid on future contracts with the prime. However, you do not receive, process, store, or create CUI for the prime contractor or the DoD. What should you do?
First, you should ensure that you do not handle or create CUI at all. If you are unsure, review your contract or contact the Prime contractor and ask. If you are positive that you do not handle or create CUI, then you should inform the prime contractor that you do not plan on submitting a NIST SP 800-171 DoD Basic Assessment to the SPRS, because you do not handle or create CUI; therefore, these contract clauses do not apply to your organization.
You are a company that is bidding on a contract to become sub-contractor that creates and provides a product to a prime contractor of the DoD. The contract clearly states that the prime will be flowing CUI down to the sub-contractor who is awarded the contract. The prime contractor is being proactive and has contacted you, requesting proof that you are compliant with DFARS clauses 252.204-7019/7020, before the contract is awarded. What should you do?
The contract states that your company will be receiving CUI if you are awarded the contract. Therefore, you must comply with DFARS clauses 252.204-7019/7020. You will have to have a NIST SP 800-171 DoD Basic Assessment to the SPRS at the time of contract award. Since the prime is requesting you provide proof before contract award, you will have to communicate with them and inform them of your intentions of getting your Basic Assessment into the SPRS by time of contract award, if you do not have it in there already.
Our hope is to help answer all of your questions regarding the new DFARS interim rule, and the three clauses that have been added. We strongly recommend that you read the interim rule for yourself, which can be found here: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
If you do have any other questions, please email us at firstname.lastname@example.org.