In July 2023 the DoD hit a milestone with submission of a CMMC rulemaking package to the Office of Management and Budget for review. This move signals DoD’s continued commitment to improving the cybersecurity of the Defense Industrial Base (DIB) and its desire to make CMMC the law of the land. Most expect that CMMC requirements will start to appear in DoD contracts in the next 12-18 months.
For any defense contractor handling CUI, the message is loud and clear: CMMC has made a leap toward becoming a reality, and the days of weak enforcement of DoD cybersecurity regulations are coming to an end. This means that now is the time to focus on compliance with NIST 800-171, as explained below.
- DoD’s march toward enforcement of NIST 800-171 and implementation of CMMC
- Primes are increasing pressure on their subcontractors
- Penalties for non-compliance
- What should defense contractors do?
DoD’s march toward enforcement of NIST 800-171 and implementation of CMMC
While it might be tempting for some contractors to wait until CMMC becomes a Final Rule before starting their compliance journey, the fact is that if their contract contains a DFARS 7012 clause, they have already agreed to comply with the 110 NIST 800-171 controls. These are the same 110 controls that sit at the heart of CMMC Level 2, which any organization that handles CUI will need to achieve. DFARS 7012 has been in effect since 2017 and DoD has been making steady progress towards enforcing it:
- 2019: DoD releases its CMMC framework, designed to defend the DIB’s vast attack surface. NIST 800-171 is an integral component of the framework.
- 2020: DoD releases Interim DFARS Rules 7019 and 7020
- DFARS 7019 requires contractors to conduct a NIST 800-117 self-assessment according to DoD methodology every three years, and submit that self-assessment score to the DoD’s Supplier Performance Risk System (SPRS).
- DFARS 7020 authorizes DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to assess whether contractors can document and support their claimed SPRS scores. 7020 requires defense contractors to provide access to their facilities, systems, and personnel to enable DIBCAC to conduct a Medium or High NIST 800-171 Assessment. 7020 also directs prime contractors to flow down these requirements to their subcontractors.
- 2021: DoD releases CMMC 2.0 a streamlined version of the original model. CMMC Level 2’s security controls will be in complete alignment with the 110 security controls of NIST 800-171.
- 2022: DoD releases its June Memorandum to all its contracting officers reiterating that all defense contractors handling CUI must implement at a minimum the NIST 800-171 security requirements—and have a Plan of Action & Milestones (POA&M) for each requirement not yet implemented. Further, the DoD memorandum states:
Note that while today contractors are permitted to conduct self-assessments of their compliance with NIST 800-171, CMMC will require outside, independent assessments conducted only by accredited C3PAOs (Certified Third Party Assessor Organizations). Organizations that fail to meet CMMC requirements will be ineligible for future DoD contracts with CMMC clauses.
Primes are increasing pressure on their subcontractors
Since early 2023, more and more subcontractors have reported receiving formal requests from their primes requesting evidence of a robust System Security Plan (SSP), evidence that they have submitted their NIST 800-171 compliance score to the SPRS database, and that they are making progress towards closing gaps in their NIST 800-171 compliance. Failure by subcontractors to meet their prime’s requirements can lead to loss of progress payments, foregoing further contract options, and termination of existing contracts.
These steps by prime contractors demonstrate not only compliance with DFARS 7019 and 7020, but also increased pressure from the DoD to secure their supply chain. As DIBCAC Director Nick DelRosso explained in a recent PreVeil webinar:
DIBCAC is putting increased pressure on primes to ensure they are flowing down NIST 800-171 contract requirements, and on subcontractors to meet those requirements. As DelRosso notes, subcontractors could be the subject of a targeted assessment at either the DIBCAC Medium or High level, meaning that while the focus initially may be on primes, subcontractors could also be assessed by DIBCAC. Failure to show proper progress toward compliance in an assessment at that level could have serious consequences.
Importantly, as contractors work to meet the requirements primes are placing on them, they should take care to not only meet the NIST 800-171 requirements, but also to provide robust and detailed documentation explaining how they meet these controls.
You can be sure that DIBCAC and C3PAO assessors will know if you have sufficient compliance documentation, as it will be obvious when it’s lacking.
Penalties for non-compliance
There are real consequences for contractors who fail to meet their NIST 800-171 compliance obligations. In addition to the DoD Memorandum cited above, in 2021 the Department of Justice launched a Civil Cyber Fraud Initiative, which uses the False Claims Act against companies who knowingly, or with reckless disregard, fail to fulfill applicable obligations imposed by contractual cybersecurity requirements—including NIST 800-171.
The initiative’s aim is to “hold accountable” those entities and individuals that put sensitive U.S. information at risk by failing to comply with federal cybersecurity requirements.
Lest you think this as an empty threat by the Justice Department, note that in 2022 they settled with Aerojet Rocketdyne to pay $9 Million to resolve False Claims Act violations in government contracts. Aerojet, a major government provider of rocket and missile propulsion and power systems for the DoD, NASA and others, was accused of misrepresenting its compliance with cybersecurity requirements in certain federal government contracts
By failing to properly protect their CUI in accordance with NIST 800-171 requirements, contractors not only renege on their contractual obligations, but also are potentially liable for mispresenting their cybersecurity practices—whether doing so knowingly or not. Contractors should not think they are too small or unimportant in the supply chain to merit scrutiny by the DoD or Department of Justice. There is no correlation between the size of defense contracts and when CMMC requirements will appear in those contracts. Now, while CMMC rule making is underway, is the time to improve your cybersecurity posture.
What should defense contractors do?
DoD’s message is loud and clear. The most prudent move defense contractors can make to safeguard the long-term viability of their business is to start now to raise their organization’s cybersecurity levels and comply with NIST 800-171. Here is how to start:
- Step 1: Adopt a system for storing and sharing CUI. PreVeil, for example, provides an end-to-end encrypted email and file sharing platform that protects CUI at every point in an organization’s communications and collaboration cycle—including its supply chain. PreVeil also supports 102 of the 110 NIST 800-171 controls.
- Step 2: Create your SSP (System Security Plan), POA&M (Plan of Actions & Milestones), and get your other required compliance documents in order. The SSP and POA&M are the key documents your organization needs to support its required NIST SP 800-171 self-assessment. PreVeil offers its customers a comprehensive compliance documentation package to give them a considerable head start on the SSP, POA&M, and essential supporting documents.
- Step 3:Conduct an unbiased NIST 800-171 self-assessment and submit your score to the DoD’s SPRS, or update that score as needed.
- Step 4: Work with a CMMC partner/expert who has the expertise you need. Many certified experts can be found in the CMMC-AB marketplace and in PreVeil’s own robust partner network. This expertise will significantly smooth your path to compliance. A partner can help you meet NIST 800-171controls that you are unable to meet on your own, and provide you with guidance on how to best prepare for a CMMC assessment by a C3PAO.
These four steps provide contractors with a concrete way to get started on their compliance path. But note that getting ready for CMMC can take an organization 12-18 months, so contractors should not delay getting started.
To learn more about how PreVeil can help your company comply with DoD cybersecurity regulations, schedule a free 15-minute consultation with our compliance experts to answer your questions about DFARS 252.204.7012, NIST SP 800-171, and CMMC 2.0.
Read PreVeil’s briefs:
NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
PreVeil Update: DoD to Ramp Up Enforcement of Compliance with NIST SP 800-171
What is DFARS 252.204-7012 and Why is it Important?
What is DFARS 7019 and how can contractors comply with it?
What Defense Contractors Need to Know about DFARS 252.204-7020
Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)