Defense Contractors: It’s Time to Pay Attention to Cybersecurity Requirements

Defense Contractors: It’s Time to Pay Attention to Cybersecurity Requirements

Many Defense contractors have been watching and waiting for information on the new Cybersecurity Maturity Model Certification (CMMC) that is looming on the horizon for all 300,000+ Defense contractors. The only exemptions apply to those vendors providing commercial off the shelf items and solicitations below the micro-purchase threshold of $10,000.  Currently, the CMMC Accreditation Body is in the process of training assessors and registered practitioners and setting up a “marketplace” where businesses can find an assessor or practitioner. 

Meanwhile, DoD has issued a NEW regulation to enhance cybersecurity in the short term while we wait for the implementation of CMMC over the next 5 years. This new interim regulation (DFAR 252.204-7019) linked here is a solicitation clause that requires firms that handle Controlled Unclassified Information (CUI) responding to a solicitation to have a current assessment on record in an online database called Supplier Performance Risk System (SPRS).  This clause is required in DoD Solicitations with CUI above the micro-purchase threshold of $10,000 starting now.  

We will be discussing all this in an upcoming Webinar on December 8th.  Until then, read on:

DOES THE NEW ASSESSMENT REQUIRMENT APPLY TO YOU?

Maybe.  Katie Arrington, DoD’s Chief Information Security Officer recently indicated in public sessions that it applies to all Defense contracts.  However, the regulation aligns itself with the existing regulation that only applies to contracts with CUI.  And, we’ve heard that for solicitations auto-awarded in Defense Logistics Agency’s Defense Internet Bid Board System, DLA is only applying it to solicitations with CUI.   Public comment on the interim rule closed November 30 and there were several comments about this confusion. We anticipate clarification soon.

Additionally, there is significant confusion about whether firms providing commercial items are exempt as they are from CMMC.  We’ve heard reports of some prime contractors requiring the self-assessments for ALL their suppliers.  And, the rule indicates:

“…To achieve the desired policy outcome, DoD intends to apply the new provision and clauses to contracts and subcontracts for the acquisition of commercial items and to acquisitions valued at or below the simplified acquisition threshold, but greater than the micro-purchase threshold.”  

However, it goes on to state:

“The provision and clauses will not be applicable to contracts or subcontracts exclusively for the acquisition of commercially available off-the-shelf items.”

WHAT SHOULD YOU DO?

  1. PTAC’s first advice is to check your current contracts and subcontracts and any active solicitations you are bidding for the following DFARS Clauses.
    • 252.204-7019 (DoD Assessment Requirements)
    • 252.204-7020 (DoD Assessment Requirements) and
    • 52.204-7021 (CMMC requirements).
  2. Know whether or not you are in possession of any Controlled Unclassified Information (CUI) or Covered Defense Information (CDI) or Controlled Technical Information (CTI).  You might be surprised to find out you have it and are required to control access to it.
  3. Complete a self-assessment, especially if you have CUI or make controlled information in the course of your work. This new rule is broad and compliance is checked prior to award so it is critical that you complete the self-assessment and post the results in SPRS if you plan to bid or are expecting an option year award on an existing contract or subcontract.  And, experts agree that good cybersecurity is good business.
  4. Attend PTAC’s Cybersecurity Contract Implications Webinar on December 8th, 10am.
  5. Continue to prepare for CMMC.  Impact Washington has a short Senior Management briefing about it as well as a more in-depth training for practitioners. 

HOW TO DO SELF-ASSESSMENT

The assessment has three levels (Basic, Medium, High) and is based on compliance with NIST SP 800-171 security requirements.  A basic assessment is a self-assessment completed by the contractor while a medium or high is completed by Defense Contract Management Agency.  DCMA stood up the new Defense Industrial Base Cybersecurity Assessment Center in the summer of 2019, but concerns remain that DCMA does not have capacity to conduct all the necessary assessments at this time.

To complete a self-assessment, one option is to use Project Spectrum’s self assessment tool found on their website here.  Click “Cyber Readiness Check” at the top and create a free account.  After completing all the questions with either a yes or no, the system will provide you with a score that you will enter into SPRS.  Instructions on accessing SPRS are found here.  The top score is 110.  Each time you indicate you are out of compliance with one of the items it deducts points.  It is possible to receive a negative score as some items are weighted higher than others.  DoD is not requiring a perfect score or any specific minimum score at this time.  It is, however, a very good idea to shore up deficiencies now.  When you enter into SPRS, you’ll also be asked to enter a date when the contractor will achieve full compliance with all 110 security requirements.   As you implement improvements in your cybersecurity systems, you may update your score in SPRS.

QUESTIONS?

Your PTAC welcomes any and all cybersecurity related questions.  Our mission is to increase contracts and subcontract to Washington firms and if cybersecurity compliance is a barrier to your firm, please reach out.  Find your PTAC advisor at www.washingtonptac.org.