• Blog

If You’re Waiting for CMMC to Start Compliance, You’re Already Behind

Every defense contractor that handles Controlled Unclassified Information (CUI) has a contractual obligation with the DoD to comply with DFARS 252.204-7012. That 7012 clause requires contractors to implement the 110 security controls of NIST SP 800-171, developed specifically to protect CUI. Since going into effect in 2017, however, compliance with NIST SP 800-171 has been lacking and DoD enforcement has been weak. Those days, however, are over.
 
This blog describes DoD’s steady progress toward enforcement of NIST SP 800-171, how that connects with CMMC, and best practices for defense contractors to stay in business with the DoD.

DoD’s march toward enforcement of NIST SP 800-171 and implementation of CMMC

The brief chronology below shows the evolution of the compliance environment that defense contractors handling CUI must operate within today. To help your understanding, keep in mind a key point that Stacy Bostjanick, DoD Chief of DIB Cybersecurity, made during PreVeil’s CMMC Summit in October 2022:

“CMMC is just the validation program that people have done what they’ve already agreed to do in complying with and establishing the requirements of NIST 800-171 in their current networks.”


 

“CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”
 
Stacy Bostjanick @ PreVeil’s 2022 CMMC Summit

 
Here’s the chain of events that back Bostjanick’s statement:

  • 2015: The National Institute of Standards and Technology (NIST) develops 110 security controls designed to protect CUI and releases NIST Special Publication (SP) 800-171 specifying those controls. NIST SP 800-171 requirements are included in DoD contract clause DFARS 252.204-7012.
  • 2017: Deadline: DFARS 252.204-7012 requires all defense contractors that handle CUI to implement NIST SP 800-171’s 110 security controls by late 2017. Contractors are required to self-attest their compliance annually, via a document kept on file in-house.
  • 2019: DoD releases its Cybersecurity Maturity Model Certification (CMMC) framework, designed to defend the vast attack surface of the Defense Industrial Base (DIB). NIST SP 800-171 is an integral component of the program.
  • 2020: DoD releases Interim DFARS Rule with three clauses effective late 2020:
    • 7019 requires contractors to create a System Security Plan (SSP) and use it as the basis of a NIST SP 800-117 self-assessment, to be conducted according to DoD methodology every three years. That generates a self-assessment score that must be filed with the DoD’s Supplier Performance Risk System (SPRS).
    • 7020 requires defense contractors to provide DoD access to its facilities, systems, and personnel as necessary to enable DoD to conduct or renew a higher-level assessment of NIST SP 800-171 compliance.
    • 7021 serves as the bridge from DFARS and NIST to CMMC. and It requires all defense contractors to achieve CMMC certification at the level specified in their contract by time of award. Further, all prime contractors must flow down 7021’s requirements to their subcontractors.

     

  • 2021 DoD releases CMMC 2.0, a streamlined version of the original model. Organizations that handle CUI will need to achieve at least CMMC Level 2. Level 2’s security controls will be in complete alignment with the 110 security controls of NIST SP 800-171. Importantly, DFARS 252.204-7012 and Interim Rule clauses 7019 and 7020 are currently in effect. Clause 7021 will go into effect once CMMC requirements begin to appear in DoD contracts beginning in May 2023 (see below).
  • 2022 DoD releases a memorandum to all its contracting officers reiterating that all defense contractors handling CUI must implement at a minimum the NIST SP 800-171 security requirements—and have a Plan of Action & Milestones (POA&M) for each requirement not yet implemented. Further, the DoD memorandum states:
  •  

    “Failure to have or make progress on a plan to implement NIST SP 800-171 requirements may be considered a breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

     

  • 2022: Prime contractors—held responsible for the security of their supply chains since the Interim DFARS Rule issued in 2020—begin to formally request current and prospective subcontractors’ SPRS scores. Lack of a score is a red flag for primes, and a low score puts subcontractors in a weak position vis-à-vis their competitors.
  • 2022: DoD indicates that DFARS Interim Rule clauses 7019 and 7020 will be cemented into a Final DFARS Rule in Dec. 2022.
  • 2022: The Cyber Accreditation Board (Cyber AB) releases a draft CMMC Assessment Process (CAP) that opens the floodgates for organizations to undergo voluntary C3PAO assessments of their NIST SP 800-171 compliance.

More to come with CMMC:

  • March 2023 DoD is on pace to release a new DFARS Interim Rule that will codify CMMC into law via the DFARS 7021 clause. Once released, the Rule will allow for CMMC requirements to appear in contracts.
  • May 2023 DoD expects to start to include CMMC certification requirements in new DoD contracts. CMMC requirements will apply to prime contractors and all subcontractors throughout their supply chain.
  •  
    Once implemented, CMMC will further increase enforcement of NIST SP 800-171 with two key requirements, including:
     

    • At CMMC Level 2, self-attestation of compliance with NIST SP 800-171 will no longer be relied upon. Instead, once every three years contractors will need to undergo outside, independent assessments conducted only by accredited C3PAOs (Certified Third Party Assessment Organizations). Organizations that fail to meet CMMC requirements will be ineligible for future DoD contracts with CMMC clauses.
    • SPRS scores from ongoing annual self-assessments of NIST SP 800-171 compliance will need to be signed off by a company or university executive who will be held accountable for the validity of the score.

What does this mean for defense contractors?

First and most important, it is a mistake to conflate NIST SP 800-171 requirements and the CMMC program. Contractors that do so often veer toward inaction. But as the timeline above makes clear, if you currently do work for the DoD that involves handling CUI, then you have a contractual obligation to implement NIST SP 800-171’s 110 security controls today.
 
DoD’s message is loud and clear. The most prudent move defense contractors can make to safeguard the long-term viability of their business is to start now to raise their organization’s cybersecurity levels and comply with NIST SP 800-171. To do so, first you’ll need to get your SSP (System Security Plan), POA&M (Plan of Actions & Milestones), and other required documentation in order. The SSP and POA&M are the key documents your organization needs to support its required NIST SP 800-171 self-assessment.
 
Next, conduct an unbiased NIST SP 800-171 self-assessment and submit your score to the DoD’s SPRS, or update that score as needed. Accurately represent your NIST SP 800-171 compliance level (aka your SPRS score). Be prepared for primes to ask for your SPRS score and know that DIBCAC is conducting random audits of SPRS scores.
 
Know, too, that these efforts are about much more than compliance with DoD regulations. Robert Metzger, co-author of MITRE’s Deliver Uncompromised seminal report and co-chair of the cybersecurity practice at the law firm Rogers Joseph O’Donnell said it well:
 

“The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business.
 
Don’t let yourself think that it [cybersecurity] matters the day you happen to get an RFI [Request for Information] or RFP [Request for Proposals] that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors. And then also your regulator.”

 
Fortunately, technology solutions are available to you raise your cybersecurity levels and comply with DoD regulations—all while dramatically reducing the potential cost and complexity of doing so.

PreVeil

PreVeil is a state-of-the-art encrypted file sharing and email platform that offers uncompromised security for storing and sharing CUI. It’s built on a modern Zero Trust security model, one strongly recommended by the NSA. Organizations can easily add PreVeil as an overlay to their existing IT environments, including M365.
 
PreVeil supports compliance with 102 of the 110 NIST SP 800-171 security controls, including 37 that PreVeil fully supports and another 65 that are met via shared responsibility with the customer. Moreover, PreVeil’s comprehensive compliance documentation package and the Governance, Risk and Compliance (GRC) tool it offers will save your organization an enormous amount of time and effort on the documentation DoD requires to show evidence of compliance with NIST SP 800-171.
 
PreVeil also has developed a strong partner community of MSPs (Managed Service Providers), consultants, and organizations and individuals certified by the Cyber AB—with expert knowledge of DFARS, NIST, CMMC and PreVeil. Coordinated access to this specialized partner community and PreVeil’s ongoing support will smooth your organization’s path to better cybersecurity and compliance—and save you time, minimize your risks, and reduce your costs.

To learn more about PreVeil and how your company can comply with DoD cybersecurity regulations: