In 2017, the DoD issued the Defense Federal Acquisition Regulation Supplement (DFARS) memorandum for contractors, requiring them to follow the NIST 800-171 cybersecurity framework. The goal was to protect CUI from cybersecurity attacks. However, confusion on the standards led to slow adoption. As a result, the DoD released the CMMC standard to help DIB contractors adopt strong and effective cybersecurity standards.

While CMMC has yet to fully roll out, its eventual release does not mean the demise of DFARS. All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts. Moreover, these DFARS clauses will continue to appear in the contracts of Primes and their subcontractors.

To get a better understanding of the role DFARS will play as CMMC comes into effect, PreVeil spoke with Jeremiah Sahlberg, managing director of Federal and third-party risk at Tevora. Tevora is a specialized management consultancy focused on cybersecurity, risk and compliance services. Tevora services national and international clients, institutions and governments.

PreVeil: We’re in an interesting space for the rollout of CMMC. The AB hasn’t yet released its monitoring guidelines. Covid-19 has us all working from home. So there’s a lot of uncertainty about what will be assessed and how assessments will happen. Do you see companies sitting on the sidelines, waiting to see if they should jump in and get ready for CMMC certification? Or is there more interest now?

Tevora: When I talk to our clients, there are those already in the Federal space, some are in the DIB space, and then those who are neither but want to get out there. The conversation changes based on whether they understand the government space or not.

I would say 80% [of our conversations] for Federal related services are with companies that are already working with the government or DoD. Then, there is the 20% that want to get there. That 20% is explained by the Federal government being one of the entities that is currently spending money. Other industries such as retail and hospitality aren’t spending money right now, so some companies are switching their strategies so they can sell to the government.

So, we are having many more conversations around FISMA, FedRAMP and protecting controlled unclassified information (CUI). Our process starts with understanding the client’s current and future goals, types of data they have access to, and where it resides in their organization.

PreVeil: The AB has said that companies looking to get CMMC compliant should look to DFARS and NIST 800-171 to get started until there is a formal assessment body. Where are the biggest gaps in meeting the NIST controls?

Tevora: Currently, the CMMC website does recommend that companies should start doing assessments against the current DFARS requirements which means NIST 800-171. The DFARS and NIST 800-171 requirements have been there for 3 years so the information is nothing new. The biggest gap in meeting the controls is that these organization have basically self-attested until now. Now they are going to have a validated assessment.

The biggest gap in meeting the controls is that these organization have basically self-attested until now. Now they are going to have a validated assessment.

The target CMMC level that many companies are trying to reach is Level 3. At CMMC Level 3, there are 130 controls and 110 of them are straight from NIST 800-171. That means about 85% are things you are already supposed to be doing if you are doing work under DFARS.

A lot of companies do not know where their gaps are. This is where our services come into play either as a gap analysis or a CMMC preassessment. As of today, no organization can do a certified CMMC assessment, as the training and Certified Third Party Assessment Organization (C3PAO) accreditation has have not been issued to anyone. However, we can do assessments against DFARS and NIST 800-171. That’s a big place where Tevora is playing today and we can do those inspections now.

The gaps we see in companies trying to reach Level 3 are in a couple of different areas. We see incomplete policies, missing multi-factor authentication (MFA), lack of a system security plan, missing encryption, and partial incident response plans that do not address the DoD Cyber Crime reporting requirements.

Regarding policies, there are a lot of policies that need to exist because a company is building a security program on some documented framework of controls and those should be written down. People may have policies but they aren’t complete because they don’t establish roles and responsibilities, consequences, timelines, and cadence activities that have to happen.

MFA is a requirement in NIST 800-171, even for internal administrative access non-local access. Many organizations have not fully deployed this.

Proper encryption is also required in CMMC in order to secure CUI data at rest and in transit. Depending on where data is stored, and how it’s being passed around with external entities, proper encryption requirements change. But for us, this is a big area where we see PreVeil being able to play because data in PreVeil is always encrypted end-to-end.

Some in the DIB have attested to NIST 800-171 but they haven’t gone back and trailed and mapped their data. How does data come in and where does it go? Forcing a customer to know how data moves through their organization leads to a lot of surprises. Getting the customer to focus on that process can be a challenge because the data inputs may be unstructured and not clearly defined. Sometimes that data is received via email and that whole process needs to be protected.

Learn more about what the DoD’s new CMMC requirements mean for contractors.
Download our whitepaper

PreVeil: You mentioned lack of encryption, do you think using end-to-end encryption to secure email and files makes it easier for DIB companies to become DFARS and CMMC compliant?

Tevora: Sure, by integrating end to end encryption solutions, this can certainly help address some of the NIST 800-171 controls. Remember DFARS just points to NIST 800-171 for defining adequate security and CMMC Level 3 contains those requirements, too. CUI data in email does prove to be a challenge for many companies as this is the “last mile” for protecting data sometimes. Many companies have automated system with APIs and EDI that are already configured with the needed encryption controls, but email can present a challenge for many organizations. That said, there are several other controls that will need to be addressed outside of end-to-end encryption.

PreVeil: Once CMMC becomes the law of the land, what role will DFARS play?

Tevora: CMMC is about validation of cybersecurity controls that a company needs to meet. That type of validation already happens in the PCI space with Qualified Security Assessors and FedRamp with 3PAOs. It hasn’t happened with the DoD. Now, with CMMC there will be C3PAOs that will come in and give you a stamp of approval on an assessment.

At the same time, DFARS is not going away. CMMC is building on top of DFARS. DFARS has a lot of stuff above and beyond CMMC that is important to cover. For example, some of the major ones you have are:

DFARS 252.204-7012 Clause Requirements

Contractors shall:

  • Provide adequate security
  • Report cyber incidents
  • Submit discovered malicious software
  • Preserve and protect images of information systems in a cyber incident
  • Provide information to enable a forensic analysis
  • Flow down the DFARS clause to subcontractors

None of this is net new. The part on ‘Provide adequate security’ is actually carried over into CMMC as well. But, all of this has been there since the end of 2017 and will be there after CMMC comes into play. What we don’t know is exactly what the text of DFARS is going to look like post-CMMC implementation. However, companies will still be expected to meet these DFARS mandates.

PreVeil: Can you explain how companies can meet CMMC and still not meet all the DoD requirements around DFARS and cybersecurity?

Tevora: That is actually correct. The two are not mutually exclusive.

The main thing in DFARS that crosses over to CMMC is adequate security. The other points such as incident reporting are managed by DFARS. When a company gets audited they will need to be assessed at a particular CMMC level and they will probably also need to be assessed for DFARS. But, they can meet CMMC and not DFARs.

The main thing in DFARS that crosses over to CMMC is adequate security. The other points such as incident reporting are managed by DFARS.

PreVeil: Flow down is a big issue for subcontractors. Can you dig in a bit and explain how this will change going forward with CMMC?

Tevora: I don’t think the flow down requirements will change in DFARS, this will remain. What will change is how the subcontractors are verified. Right now the Defense Contract Management Agency (DCMA) has expanded their scope to include conducting DIBCAC assessment and this includes scoring againist NIST 800-171 criteria, but this program has just formally been launched this year. Some auditing has and is being conducted, but it has been limited and focused. There’s no overarching inspection of all 300,000 contractors. No one is checking the 3rd and 4th level down. Until now, DFARS has been a requirement but only limited validation has existed.

Clause (m) of DFARS 204-252-7012 requires flowdown controls to subcontractor and I assume that it will be a a requirement going forward. So subs will see in the RFP what CMMC level they need to meet and independent assessors will determine whether a sub meets the standard or not. While the prime contractors will need to make sure they only use subcontractors that have met the CMMC requirements, it will be the role of assessors to determine if the subcontracting company has met the requirements.

It’s important to note that the verification is tier based. That means the inspection verification will be limited on the lower end for meeting CMMC Level 1. It will be harder on the upper end for contractors looking to meet CMMC Levels 4 or 5.

PreVeil:An important part of CMMC is going to be how information is managed and secured in the cloud. How is that changing from DFARS to CMMC?

Tevora: According to DFARS, if you are going to a cloud environment you have to be FedRAMP moderate or equivalent. This will stay in DFARS and not CMMC. The important thing to note in this is what it says in DFARS which is that “The Contractor shall provide adequate security on all covered contractor information systems” and that requirements will flow down from the Prime to the sub.

“The Contractor shall provide adequate security on all covered contractor information systems” …[T]hat requirements will flow down from the Prime to the sub.

PreVeil: Do you have any take home message for our readers?

Tevora: If you are already following NIST 800-171 and DFARS 204-252-7012 then you’re already 85% of the way there. You might have a bit more work to get to CMMC Level 3 but it shouldn’t be too bad. If you haven’t been diligent in following these mandates, this will be a big new challenge for you.