Recently the world of DoD cybersecurity compliance has been dominated by CMMC discussions. Now, there is an additional compliance requirement — and it’s urgent!
It relates to NIST 800-171. Although the regulatory DoD deadline is November 30, 2020, the lead time needed suggests starting to prepare today. And the impact could be enormous. If your company wants to renew current contracts with DoD or win new contracts, you may need to be compliant as soon as October 30, 2020. And you will also need to ensure your subcontractors are compliant!
All of the above came to light on September 29, 2020, when DoD issued an Interim DFARS Rule covering both CMMC and NIST 800-171. And the consequences of the NIST 800-171 update are significant.
Although many DoD suppliers should have been compliant with 171 for years, DoD now wants to put more teeth into this compliance in a number of ways.
1) Suppliers that are required to implement 171 (i.e., whose contracts include DFARS 252.204-7012) must now perform an assessment, using a defined scoring methodology, that identifies how many of the 110 different NIST 800-171 security requirements have been fully implemented, and provide a date by which the “score” of 110 (i.e., full compliance) will be achieved. This information is to be uploaded to DoD’s Supplier Performance Risk System (SPRS).
The assessment mechanism is also different. Suppliers at the “Basic” level may self-certify, but those at the Medium and High levels will be subject to an assessment by DoD auditors. These auditors are not the same as CMMC assessors but come from the Defense Contract Management Agency (DCMA) which provides contract administration services for the DoD and other federal organizations and international partners.
2) The contractual/legal deadline could be as soon as November 30, 2020, which is the technical effective date of the Interim Rule, depending on the specific timing of a company’s contract and task/delivery order award and option dates. But, as some have noted, DoD may need 30 days to process an assessment, which could make the practical effective date as early as October 30, 2020.
3) Your company has to be compliant by the time of the contract award, task or delivery order award, or exercise of a contract option. This means that if you have an existing contract with an option date of December 10, then you must be compliant by that time. If you want to submit a bid on a new contract on December 10, then you will need to verify that you have a current 171 assessment (i.e., not more than three years old) on record and visible in the Supplier Performance Risk System (SPRS).
4) Contractors must also ensure that their subcontractors conform with 171 based on the flow-down requirement:
“The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800-171 DoD Assessment, as described here, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government.
“If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology, to email@example.com for posting to SPRS along with the information required by paragraph (d) of this clause.”
5) Contractor inaccuracies in their assessment reporting could be subject to the False Claims Acts (FCA), which impose civil and potentially criminal liability on anyone who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval” or “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim” paid by the Government. The Civil False Claims Act, 31 U.S.C. § 3729, imposes a civil penalty of between approximately $11,000 and $22,000 for each violation, plus three times the amount of damages that the Government sustains.
If your company seeks to continue doing business with the DoD, you must address the updated NIST 800-171 assessment process now.
A Nov.10 Celerium webinar on NIST 800-171 will feature John Ellis, Director of the Software Division at the DCMA which covers the application of cybersecurity contract requirements and policies supporting NIST 800-171 audits, and legal experts from Steptoe & Johnson LLP. It will cover the compliance issues of protecting your sensitive CUI data on your on-prem infrastructure, in the cloud, and in Office 365. Celerium is also providing a free NIST 800-171 assessment tool for suppliers. (C.U.).