On September 30, 2020, the DoD revealed a new set of proposed clauses for the Defense Federal Acquisition Regulation Supplement-known as the DFARS-in an interim rule (DFARS Case 2019-D041). These new clauses seek to close the gap between security and compliance for the Defense Industrial Base (DIB). The interim rule introduces the CMMC requirement, which had been expected for well over a year, but the additional clauses this interim rule introduced were widely unexpected.
Before explaining the new clauses, it is relevant to address the existing -7012 clause. Since December 2017, this clause has mandated compliance with NIST 800-171 for companies handling DoD Controlled Unclassified Information (CUI). The -7012 clause is approved for use in all DoD contracts (with a few exceptions) and is found in contracts that do not contain CUI. The new set of clauses in the DFARS can be viewed as an expansion of the -7012 clause to create more stringent guidelines for the DIB.
-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements
All companies who handle DoD CUI must complete a self-assessment using the DoD Assessment Methodology and generate a score. Companies must then input that score and the date at which they plan to remediate all gaps to the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new -7019 clause, a DoD contracting officer will simply verify a score has been uploaded. At this time there is no baseline score requirement, which means that any score is sufficient to meet the -7019-clause requirement.
-7020 Clause: NIST SP 800-171 DoD Assessment Requirements
Along with the -7012 and -7019 clauses, this new clause is approved for inclusion in all DoD contracts. This new clause requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment. The higher-level assessments are the Medium and High assessments. The self-assessment conducted as part of the -7019 clause is called a Basic Assessment.
- Medium Assessment: conducted by DoD personnel and will consist of a review of the system security plan (SSP) description of how each requirement is met to identify any descriptions which may not properly address the security requirements.
- High Assessment: conducted on-site by DoD personnel at a Defense contractor’s location and leverages the full NIST 800-171A assessment methodology to determine if the implementation meets the requirements by reviewing appropriate evidence and/or demonstration (e.g., recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).
Additionally, this rule requires that contractors flow down their requirements established in -7019 to their subcontractors4
-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements
This new DFARS clause establishes CMMC into the federal regulatory framework. This requires CMMC to be included in all contracts, task orders, and solicitations (with few exceptions). The level of CMMC required will be determined by the DoD and inserted into the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and flow down necessary requirements to subcontractors. The CMMC certification at the appropriate level is required at time of contract award.
