DFARS rule update for CMMC
The acquisitions office has proposed an amendment to DFARS 252.204-7012, which is the contract rule that currently requires a high level of cybersecurity for the majority of Defense Contractors.
The amendment is expected to replace the 110 controls in NIST SP 800-171 with CMMC’s Level 1-5 approach. If and when the amendment is approved, it will signal the official start of the CMMC requirement for Defense Contractors.
Ms. Katie Arrington gave the following status updates in mid-July 2020 during a webinar hosted by cybersecurity company Celerium:
- The DFAR rule amendment is close to being released for public comment. September 2020?
- After 60 days of feedback is incorporated, the rule will be published in final form. November 2020?
- 30 days after publishing, the rule will go into effect. (December 2020?)
- New RFPs will start including the rule once it is in effect
DAU Webinar gives new info on DFARS and CMMC
Just released big news- August 25, 2020 – from Defense Acquisition University. The slide deck is available for download either at the link above, or direct link here.
This is slide 10 from the DAU slide deck. Note the emphasis on Government being more stringent about marking / identifying CUI before giving it to the contractor. Also see that contractors are required to flow-down security requirements to their subcontracts.
This is slide 11 from the DAU slide deck. Emphasis that vendors (MSPs and security providers) must meet security requirements if they deal with CUI or FCI while managing client networks. Also vendors are expected to participate during a DFARS assessment of their clients.
This is slide 18 from the DAU webinar slide deck. Specific to future plans for CMMC, it describes requirements for vendors, as well as scoping and required documentation. The last sentence seems like overkill for CMMC level 1…
DFARS rule change status
Case number: 2019-D041
Title: Strategic Assessment and Cybersecurity Certification Requirements
Synopsis: Implements a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations and a DoD certification process, known as the Cybersecurity Maturity Model Certification (CMMC), that measures a company’s maturity and institutionalization of cybersecurity practices and processes. Partially implements section 1648 of the FY20 NDAA.
Status: 04/24/2020 DARS Regulatory Control Officer submitted draft proposed DFARS rule to OIRA. OIRA reviewing.
eMASS for CMMC assessments
Ms. Ellen Lord, the DoD undersecretary of Defense for Acquisition and Sustainment, gave a CMMC update on August 13 2020 to the Professional Services Council. The DoD has identified the eMASS platform for CMMC assessment reports and company certificates. Development of a CMMC version of eMASS is planned to start in August 2020.
First CMMC Pathfinder assessments started
Ms. Lord also gave updates on the CMMC Pathfinder program during her talk. So far, one Pathfinder contract has been evaluated and another is planned to start evaluation in September. These Pathfinders are “nonpunitive and not for attribution”.
Voluntary assessments requested
From the ASTRO Solicitation Final.doc on beta.sam.gov – includes a solicitation for companies to volunteer for CMMC Pilot
H.15 CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PILOT PROGRAM
This procurement has been identified as a CMMC Pilot activity. This will not be a condition of award, but will be a voluntary opportunity to participate in CMMC assessments of the prime and select members of the supply chain. These assessments will be not for attribution or for certification. These assessments will provide the Government and contractors with awareness of their cyber vulnerabilities. There will be a post award conference held between the Government and contractor to identify the Controlled Unclassified Information (CUI) and map it through the supply chain. Based on this mapping several contractors who would handle CUI would have a CMMC Level 3 assessment performed and those not handling CUI would have a CMMC Level 1 assessment performed, again not for attribution or certification.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.