The Pentagon will require government contractors to submit a self-assessment of their compliance with the 110 controls in NIST Special Publication 800-171 starting Nov. 30, establishing a new cyber regime for contractors under the Defense Department that will have a wide-ranging impact on the DOD supply chain.
The interim rule published on Sept. 29 sets up the requirements for the Defense Department’s Cybersecurity Maturity Model Certification program, which will be rolled out over a five-year period. In the interim, contractors who handle controlled unclassified information will need to submit a self-assessment on their compliance with NIST 800-171 through DOD’s Supplier Performance Risk System when they submit a bid for a new contract or order.
The rule says, “The new DFARS provision 252.204-7019 advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award. The provision requires offerors to ensure the results of any applicable current Assessments are posted in SPRS and provides offerors with additional information on conducting and submitting an Assessment when a current one is not posted in SPRS.”
The CMMC program will require contractors to meet all of the 110 controls in NIST 800-171, along with 20 additional controls and three processes at maturity level three.
The current rule orders contractors to conduct self-assessment of NIST 800-171, but the Nov. 30 rule will be the first time the information needs to be submitted to a government procurement system that DOD acquisition officials can access.
“The new 171 regulations seem to be a stopgap measure until CMMC will roll out,” Eric Crusius, an attorney at Holland & Knight, told Inside Cybersecurity. “These regulations focusing on 800-171 will fill the gap until everyone is required to have CMMC compliance.”
DOD has developed an assessment methodology for NIST 800-171, which establishes three levels--Basic, Medium and High. The basic level is the initial self-assessments done by contractors.
Medium and High levels will be conducted by the Defense Contract Management Agency after a contract is awarded based on the “criticality of the program or the sensitivity of information being handled by the contractor,” according to the rule.
“Under both the Medium and High Assessment DoD assessors will be reviewing the contractor's system security plan description of how each NIST SP 800-171 requirement is met and will identify any descriptions that may not properly address the security requirements,” the rule says. “The contractor provides DoD access to its facilities and personnel, if necessary, and prepares for/participates in the assessment conducted by the DoD. Under a High Assessment a contractor will be asked to demonstrate their system security plan. DoD will post the results in SPRS.”
The rule says the vast majority of contractors will only need a basic self-assessment. Over a three-year period, DOD is expecting there will be 8,823 “small entities” that need a basic assessment each year, 148 will need a Medium and 81 at a High.
However, the Defense Department could determine information provided by contractors through the self-assessment needs further review, according to contracting attorney Michelle Litteken of Morris, Manning & Martin.
“The rule presents these NIST standards as checkboxes, but these are complicated technical considerations,” Litteken told Inside Cybersecurity. “Some are simple like passwords but others are lot more complicated and contractors are going to potentially need to contract third parties to be able to consult them to certify in good faith that they are meeting these standards.”
DOD is also requiring contractors to submit a “plan of action,” also known as a plan of action and milestones (POA&M), for the 800-171 controls that they are not able to meet at the time of self-assessment. The plan needs to provide details on when the contractor projects the controls will be met.
Contractors who self-certify “without taking reasonable steps” to meet the controls could be found to be acting “reckless disregard for the truth,” Litteken said, which means there is the potential for a contractor to run into issues with the government through “a potential False Claims fraud liability” case.
In a Law 360 article on the False Claims Act, attorney Robert Metzger writes noncompliance related to POA&Ms “could arguably be material if it can be shown that the DOD's knowledge of the noncompliance would have influenced its decision to exercise the option or continue paying the contractor. The threat of this kind of FCA action underscores the need for contractors to submit realistic dates by which they can achieve a score of 110 and, once the basic assessment is completed, to faithfully execute their POAMs and document the steps they have taken to fix compliance gaps.”
The article is co-written by two of Metzger’s colleagues, Stephen Bacon and Alexandria Webb, from law firm Rogers Joseph O’Donnell.
Former CMMC Accreditation Body board member Mark Berman says the goal of NIST 800-171 is not to produce lawsuits but rather to create more “visibility” into the DOD supply chain.
“Compliance with the new regulation doesn’t mean you have to have an empty POA&M,” Berman told Inside Cybersecurity. Berman is the CEO of Future Feed, a platform that automates compliance with NIST 800-171 controls and the upcoming CMMC requirements.
“If you think of the situation globally for the whole supply chain, we want to get everyone’s POA&M down to zero,” Berman said. “DOD is requiring contractors report their score because the goal is visibility. The compliance goal of you being 100 percent compliant comes with CMMC down the road.” -- Sara Friedman (firstname.lastname@example.org)