WARNING: What Every Contractor Needs To Know About DoD’s New Cybersecurity Interim Rule
If you are doing work for the Federal Government, in particular for the Department of Defense (DoD), you probably know that Cybersecurity compliance has become a major requirement to obtain contracts with DoD. Up until November of 2020, contractors were required to implement NIST 800-171 to protect what the Government termed Controlled Unclassified Information (CUI). This required contractors to establish plans and processes to safeguard all data that is provided by or developed for the Government, and when it is stored or transmitted. It also required contractors to identify and report any cyber incidents, and to flow down requirements to subcontractors and suppliers.
The continuously increasing levels in cybercriminal activity has made DoD stipulate contractors to simply migrate NIST-800-171 in their technology environment to the more comprehensive Cybersecurity Maturity Model Certification (CMMC). This new framework allows DoD to better assess and verify contractors’ Cybersecurity practices and procedures to protect CUI.
According to the published time line, requirements for CMMC compliance may be included in selected, and approved, solicitations and contracts through September 30, 2025. After October 1, 2025, contractors can expect to see CMMC compliance requirements in all solicitations and contracts. It’s important to note that CMMC compliance will exclude procurements for Commercial Off The Shelf (COTS) products and procurements below the micro-purchase threshold.
Between now and the day when CMMC requirements appear in solicitations, contractors who have clause DFARS 252.204-7012 included in their contracts, must abide by the requirements of an Interim Rule DoD which includes the following three elements:
1. Scored Self-Assessments
It’s no longer enough to simply declare that you have implemented 800-171. Government contractors must now self-assess their implementation of each of the 110 cybersecurity controls included in 800-171 and score themselves based on a detailed methodology defined by DoD.
2. System Security Plans (SSP)
The Self-Assessment score must also include the completion of a System Security Plan (SSP), which identifies the functions and features of a system, including all its hardware and software. The SSP defines the security measures that have been put in place to limit access to authorized users and provides details of processes for auditing and maintaining the system. The plan also helps establish an incident response plan in the event of a breach.
In short, the SSP is a comprehensive summary of all security policies and procedures that will help keep DoD data secure if the DoD awards a contract.
3. Plan of Action and Milestones (POA&M)
For any of the 110 controls identified in NIST 800-171 that are not fully implemented, the contractor must submit a Plan of Action and Milestones (POA&M) along with their self-assessment score and SSP. The POA&M identifies each task that needs to be completed in order to implement a missing control, including resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
The NIST self-assessment results must be submitted and stored in the contractor’s Supplier Performance Risk System (SPRS) and should include the assessment scores, the SSP, the date of the assessment and the date by when the contractor will reach the milestones set forth in its POA&M.
If you have any questions concerning your cybersecurity compliance status, please give us a call at (915) 587-7902; we would be happy to visit with you.