CMMC Will Take 5 Years but the DFARS Interim Rule is Here Now

New Department of Defense Cybersecurity Regulations

by Mike Semel, CMMC-AB Registered Practitioner

CMMC – the new Cybersecurity Maturity Model Certification (CMMC) for the Defense Supply Chain (DSC) is being rolled out over five years. In the meantime, for new contracts and renewals. the Department of Defense (DoD) announced the DFARS interim rule requiring defense contractors to self-assess their implementation of the National Institute of Standards and Technology (NIST) Special Publication 800-171 cybersecurity controls and be subject to DoD audits.

Both CMMC and the interim rule provide challenges for defense contractors because financial penalties for non-compliance can be huge. Many of the 300,000 defense contractors rely on their contracts to stay alive. Even if you have a lower reliance on defense contracts, you don’t want to lose those profits. Failure to comply can result in cancelled contracts, being banned from future contracts, civil claims under the federal False Claims Act, and potential criminal penalties for fraud.

DFARS Interim Rule

The Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements are referenced in over 87% of defense contracts. Look to see if DFARS 252.204-7012 is referenced in your contracts. If so, since 2017, the DoD has required you to implement the 110 cybersecurity controls in NIST 800-171 to protect Controlled Unclassified Information (CUI).

Because surveys and audits showed that most defense contractors had not complied with the DFARS requirement, the DoD created CMMC, requiring companies to pass an independent cybersecurity assessment to qualify for defense contracts. CMMC requires that an entire new ecosystem be developed from the ground up and will not be required in all defense contracts until FY 2026 that begins in October 2025.

Because of the 5-year rollout before CMMC is required in every contract, in September 2020 the DoD announced an interim rule requiring you to score your implementation of NIST 800-171 and post your score in the federal Supplier Performance Risk System (SPRS) database to get new defense contracts and contract renewals until CMMC takes effect. The rule became effective at the end of November 2020.

The DoD developed a weighted scoring system where points for missing controls are deducted from the perfect score of 110 (the number of controls in NIST 800-171). Each control has been assigned a weighted deduction score of 1, 3, or 5 points. Your score must be submitted to the federal database and is good for three years, but ongoing compliance is required because you must be prepared for a DoD or prime contractor audit at any time.

Negative scores are possible. During a call, a defense contractor told us they had posted a score of 76 into SPRS by simply subtracting one point for each of their missing controls. We accurately deducted the weighted scores for their missing controls and determined that their score was really minus-4.

Like other regulations, to validate compliance you need everything to be documented - written policies, procedures, and evidence that the procedures are being consistently implemented. A written System Security Plan (SSP) is required along with written Plans of Action & Milestones (POA&M) for controls not fully implemented.

The interim rule has three audit levels – Basic, Medium, and High. Basic is the self-assessment you do to post your score in SPRS. A Medium ‘desk audit’ requires you to send the DoD requested evidence of compliance. In-person or virtual High audits by DoD staff auditors require demonstrations that your compliant processes are fully implemented.

Besides formal DoD audits, it is common for your large prime contractors to send you questionnaires or audit your compliance with your contractual cybersecurity contract requirements.

CMMC

CMMC will require that you ensure that security controls have been implemented and are routinely followed. You will need to pass a CMMC Accreditation Body (CMMC-AB) independent assessment conducted by a Certified Third-Party Assessor Organization (C3PAO) to qualify for contracts that require CMMC. It is estimated that it will take five years to build out the training materials and trainers, train and certify assessors and consultants, and then assess and certify over 300,000 defense contractors. The DoD has targeted Fiscal Year 2026 (that begins in October 2025, which is why you may see that CMMC will be required in 2025) for all contracts to require CMMC.

CMMC protects both CUI and Federal Contract Information (FCI), information provided by or for the Government related to a product or service and is not intended for public release.

CMMC is broken down into five levels that build on each other. You will be required to be certified at the required level when a contract is awarded. It is estimated that over 50% of all DoD contracts will only require CMMC Level 1 because many contractors do not store CUI. Contractors storing or processing CUI will be required to comply at Level 3 or above.

Level 1 – Basic Cyber Hygiene – includes 17 of the NIST SP 800-171 cybersecurity controls and is intended to safeguard FCI. It requires basic cybersecurity controls but does not require them to be documented.

Level 2 – Intermediate Cyber Hygiene – is considered a transitional step towards the protection of CUI. It includes the Level 1 requirements plus 55 more, for a total of 72. Documentation is required.

Level 3 – Good Cyber Hygiene – the lowest certification level required to protect CUI – includes all 110 practices in NIST SP 800-171 plus 20 additional practices.

Levels 4 – Proactive (156 practices) and Level 5 – Advanced/Progressive (171 practices) include additional practices designed to protect against Advanced Persistent Threats (APT). It is expected that a very small percentage of contracts will include requirements at these levels.

Everybody is talking about CMMC but the DFARS interim rule is what is required now for you to get new defense contracts and renewals of existing contracts. The good news is that preparing for the interim rule aligns with CMMC, so there won’t be any wasted effort.

What is different is that you may not have implemented security controls you thought were inconvenient or expensive. Now you may have to play catch-up to make up for years of neglect. Remember that you aren’t alone, and all the investment and inconvenience is worth it to keep your contracts and get new ones.

Our country needs a strong defense, which requires strong cybersecurity.
Thanks for doing your part.

       

Semel Consulting advises Defense Contractors to properly manage your CMMC & DFARS Interim Rule NIST 800-171 compliance.

 

MIKE SEMEL  |  www.SemelConsulting.com

CMMC-AB Registered Practitioner  |  Certified Security Compliance Specialist  |  Certified Business Continuity Professional  |  Certified Health IT Consultant

Certified HIPAA Security Professional  |  Certified HIPAA Administrator  |  Certified HIPAA Professional