New DFARS Requirements Effective November 30, 2020—Are You Ready?

On November 30, 2020, changes to the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity regulations will require that Department of Defense (DoD) contractors and subcontractors complete and submit a cybersecurity assessment to be eligible for new DoD contracts or new options under existing contracts.

The DoD announced these significant changes on September 29, 2020, which didn’t give contractors and subcontractors much time to prepare. In this blog, we’ll outline the key elements of these new regulations and what you need to do to ensure you’re ready to compete for new DoD business.

Current DFARS Requirements

Since 2017, DFARS regulations have required that DoD contractors and subcontractors implement the 110 security controls included in NIST SP 800-171 on any information system that processes, stores, or transmits Controlled Unclassified Information (CUI). Contractors are allowed to self-attest to their compliance with NIST security controls.

Contractors must maintain a System Security Plan (SSP) that documents the system architecture and implementation approach for each of the required controls. They must also have a Plan of Action and Milestones (POAM) describing the actions that will be taken to fully implement any control that is not fully implemented.

As breaches in the Defense Industrial Base (DIB) space continue, it has become evident that some organizations have not fully implemented all of the NIST 800-171 controls. This is one of the driving factors behind Cybersecurity Maturity Model Certification (CMMC) and the ongoing maturity of cybersecurity validation efforts.

New DFARS Requirements

On September 29, 2020, the DoD announced DFARS changes —effective November 30, 2020—to improve the protection of CUI used in contractor information systems.  The changes described in this blog are introduced via the following new DFARS rules clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-0171 Assessment Requirements
  • DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
  • DFARS 204-7021, Cybersecurity Maturity Model Certification Requirements

Under the new regulations, a NIST SP 800-171 assessment must be completed on each contractor or subcontractor that will be handling CUI. Each assessment will be assigned a numerical point score using a new scoring system defined by the DoD.

Contractors are still required to have an SSP and plans of action for NIST SP 800-171 requirements that have not yet been implemented.

NIST SP 800-171 Assessment scores for contractors that have not implemented all NIST requirements will be lower than scores for contractors that have implemented all requirements. The regulation changes will provide the DOD with a comprehensive list of those contractors with all of the controls in place and those still working to implement the existing requirements.

To be eligible for new DoD contracts, all contractors and subcontractors that will be handling CUI must file with the DoD a NIST SP 800-171 Assessment that was performed within three years of the date a contract is awarded.

Assessment Levels

The new DFARS regulations define three levels of NIST SP 800-171 Assessments: Basic, Medium, and High, which reflect the depth of the assessment performed and the level of confidence in the score resulting from the assessment.

Basic Assessments

All contractors will be required to complete a Basic Assessment, which is a self-assessment performed by the contractor. A Basic Assessment is based on the contractor’s review of their SSP and plans of action. After completing the assessment, contractors must provide the DoD with the resulting point score and summary level information about their SSP and plans of action for NIST SP 800-171 requirements that have not yet been implemented.

Because these assessments are performed without DoD involvement, the DoD assigns a “Low” confidence level to the contractor’s self-generated score.

Medium Assessments

Medium Assessments will be performed by DoD Assessors. Contractors must provide these assessors with access to their facilities and personnel if necessary. A Medium Assessment consists of:

  • A review of a contractor’s Basic Assessment
  • A thorough document review
  • Discussions with the contractor to obtain additional information or clarification, as needed

The DoD will calculate the point score for these assessments.

The DoD assigns a confidence level of “Medium” to these assessments.

High Assessments

High Assessments will also be performed by DoD Assessors. Contractors must provide these assessors with access to their facilities and personnel if necessary. A High Assessment consists of:

  • A review of a contractor’s Basic Assessment
  • A thorough document review
  • Verification, examination, and demonstration of a contractor’s system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan
  • Discussions with the contractor to obtain additional information or clarification, as needed

The DoD will calculate the point score for these assessments.

The DoD assigns a confidence level of “High” to these assessments.

Number of DoD Assessments

It is expected that Medium and High Assessments will be conducted on a relatively small number of contractors each year, based on the DoD’s capacity to conduct these assessments. The DoD will have discretion to determine which contracts require Medium or High Assessments.

Assessment Scoring

The assessment scoring methodology examines how each of the 110 NIST SP 800-171 security controls have been implemented and uses a weighted scoring approach to assess the risk resulting from a contractor’s failure to implement all of the required controls. Contractors that have implemented all of the NIST controls will receive a maximum score of 110 points. The weighted scoring system is used to deduct points for security controls that have not yet been implemented. Controls that are deemed to have a greater impact on overall security risk are given a higher weighting.

Subcontractor Compliance

Contractors are required to “flow down” the DoD assessment requirements to their subcontractors that will be handling CUI. These flow down requirements affect the entire DIB which is why over 300,000 companies are affected by these requirements.

CMMC

The DFARS changes announced on September 29, 2020 are an interim step on the road to full adoption of the DoD’s Cybersecurity Maturity Model Certification (CMMC), which will ultimately raise the bar for security of DoD contractors. It is expected that CMMC will be fully rolled out to the DIB by October 1, 2025.

The CMMC framework builds on the NIST SP 800-171 Assessment Methodology by adding a comprehensive and scalable certification element to verify the implementation of processes and practices associated with achievement of a security level. CMMC is intended to give the DoD increased assurance that a contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and CUI at a level commensurate with the risk.

CMMC includes maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references (see table below). The CMMC Maturity Levels and associated sets of processes and practices are cumulative.

CMMC Level Description
1 Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.
2 Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.
3 Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.
4 Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.
5 Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.

 

While this may sound intimidating, the good news is that by fully complying with the 110 requirements of NIST SP 800-171, you will have met 85% of the requirements for CMMC Maturity Level 3.

CMMC assessments will be conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs).

DoD RFPs and RFIs will include the CMMC Maturity Level required of contractors wishing to bid on the contract.

Prior to October 1, 2025, when CMMC certification will be required for all DoD contracts, the DoD will identify candidate contracts that will include the CMMC requirement in the statement of work, including specific certification level.

Additional Information

Additional information on the DFARS changes that will be effective November 30, 2020 is available here. Additional CMMC information and a copy of the CMMC model is available here.

Now is the Time to Prepare

If you haven’t already done it, now is the time to prepare for the November 30, 2020 DFARS changes. Here’s a checklist of things you’ll need to do:

  1. Make changes to your environment to bring it into compliance with all of the 110 NIST SP 800-171 security requirements. The more of these you can meet, the higher your assessment score will be, which will likely improve your odds of getting DoD contracts.
  2. Develop and maintain a System Security Plan (SSP) that documents the system architecture and level of implementation for each of the required NIST controls.
  3. Develop a Plan of Action and Milestones (POAM) describing the actions that you will take to fully implement each control and the expected completion date for each action.
  4. Conduct a NIST SP 800-171 self-assessment using the DFARS methodology.
  5. Compute a self-assessment score based on your self-assessment.
  6. Submit the required materials to the DoD. Here are sites you’ll need to access to submit the materials:

If you plan to partner with subcontractors to bid on DoD contracts, work with them to ensure they complete the same steps.

More detailed information on the process and methodology for performing a NIST SP 800 self-assessment is available here.

Completing this self-assessment will not only ensure you are eligible for DoD contracts that require a Basic Assessment but will also prepare you for any contracts for which the DoD Assessors will be performing a Medium or High Assessment.

Once you’ve completed these steps, consider taking additional steps to prepare your environment for CMMC certification by a C3PAO. This will prepare you for contracts that may require this level of certification in the future. You’ve got a little more time to get this done, but you’ll want to get moving on this before too long if you plan to continue DoD contract work in the coming years.

We Can Help

If you have questions about the recent DFARS changes or would like help preparing for a NIST SP 800-171 Assessment or CMMC Certification, Tevora’s team of security specialists can help. As a certified ISO 17020 Cyber Security Inspection Body, we can conduct an SP 800-171 Assessment of your environment. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.

About the Author 

Troy Dahlin is a Senior Information Security Consultant at Tevora.