DoD released its long-awaited Rulemaking Agenda for CMMC 2.0 last week. The update indicates that the rule is now slated to be published in May 2023, not March 2023, as previously anticipated. The release additionally revealed that DoD will not publish an Interim Final Rule at that time. This means that DoD will publish a Proposed Rule in the Federal Register that will be open for public comment, typically for a period of 60 days. As such, the actual timeline for DoD to issue a Final Rule can vary significantly. How long will largely depend on the number of public comments submitted and how long it takes DoD to address them. While it is difficult to predict exactly when DoD will publish the Final Rule, it could be as late as mid-2024.
What this means to defense contractors and companies pursuing work with DoD:
- The requirement to undergo third-party assessments based on NIST 800-171 will coincide with the date of the Final Rule
- Requirements set forth in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems are unchanged
- Requirements set forth in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting are unchanged
- Requirements set forth in DFARS 252-204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements are unchanged
- Requirements set forth in DFARS 252-204-7020, NIST SP 800-171 DoD Assessment Requirements are unchanged
Keeping track of the changing CMMC landscape can be difficult, though, this change does not impact cybersecurity practices that DoD requires of current defense contractors or prospective defense contractors. The following requirements still apply to contactors with the aforementioned DFARS clauses in their contracts:
- Must have completed a Self-Assessment against NIST 800-171
- Must have a written System Security Plan (SSP)
- Must have a Plan of Actions and Milestones (POA&M)
- Must provide a final completion date for all POA&Ms
- Must have a calculated DoD Assessment Score
- Must have submitted the above information into the DoD Supplier Performance Risk System (SPRS)
It is important to note that the above requirements must be maintained over time and be reevaluated at least annually. For example, the SSP and POA&M must reflect changes to the system or the operating environment. In addition, changes to the system can result in new POA&Ms that need to be managed. As POAMs are mitigated, new scores should be calculated and updated in SPRS. Unfortunately, we are aware of cases in which companies had met all the basic requirements, only to learn a couple of years later that their compliance program no longer represented their system.
Assurance is not limited to SPRS. Prime contractors and two newly minted DFARS clauses are a sure sign that using external sources to assure compliance with NIST 800-171 is not going away. We have seen a significant increase in prime contractors levying NIST 800-171 requirements in new contracts and requiring their existing subcontractors to demonstrate compliance with the standard. This includes requests for the following evidence:
- Questionnaires
- DoD Assessment Score
- Open POA&Ms
- System Security Plan
In 2022, two new DFARS clauses gave further credence to the forward momentum of CMMC-destined requirements, and the department’s resolute position on protecting Controlled Unclassified Information (CUI). The clauses have already begun to appear in prime contracts and have flowed down to subcontracts.
The first, DFARS 252-204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements; requires offerors to implement DFARS 252.204-7012, before being “considered” for award.
The second clause is DFARS 252-204-7020, NIST SP 800-171 DoD Assessment Requirements. Paragraph (c) requires contractors to provide access to their facilities, systems and personnel that are necessary for the government to conduct medium or high assessments as described in the NIST 800-171 DoD Assessment Methodology.
One can only conclude that DoD’s decision to postpone publication of a Final Rule does not signal a change of trajectory regarding current NIST 800-171 compliance, nor does it indicate a change to assured compliance using external resources. Rather, downward pressure by DoD and prime contractors, coupled with these new clauses clearly signify that compliance with NIST 800-171 will continue and external resources will assure compliance.
Finally, when considering what course of action or next steps to take, we recommend staying the course. It is critical that defense contractors continue progress towards achieving a maximum DoD Assessment Score of 110. This means continuing to develop or improve their current CMMC-based compliance program by working on and closing open POA&Ms, which will help produce a favorable assessment outcome.
