DoD Issues Interim Rule Implementing CMMC Cyber Rules for all DoD Contractors

This new Interim Rule is part of DoD’s efforts to enhance the protection of sensitive data within the Federal supply chain. The CMMC framework adds a verification and assessment component to DoD’s cybersecurity requirements encompassed in the basic safeguarding requirements of FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, and the security requirements specified in NIST SP 800-171 per DFARS clause 252.204-7012. However, DoD is implementing a phased rollout of CMMC and is not implementing the new CMMC requirements in all DoD contracts until after September 30, 2025. Prior to that date, the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) will direct which contracts will require contractors to undergo a full third-party CMMC assessment. Upon completion of the rollout, all DoD contractors will be required to reach some level of CMMC Certification if they are to receive future DoD contracts and subcontracts, except for DoD acquisitions solely for commercially available off-the-shelf (COTS) items. While the CMMC rollout is not news to the DoD contracting community, what may be surprising to contractors is the new requirement in the Interim Rule covering the interim period until CMMC rollout is complete (September 30, 2025). Specifically, the Interim Rule requires contractors to quantify their current cybersecurity compliance and report that status to a DoD website for consideration prior to any new contract award, or prior to the DoD’s exercise of any contract option.

This Interim Rule adds a new DFARS subpart, Subpart 204.75, Cybersecurity Maturity Model Certification (CMMC). This subpart includes policies and procedures for awarding a contract or exercising an option on a contract between now and October 1, 2025. Specifically, the Interim Rule proposes two new DFARS clauses to be used between now and September 30, 2025, when all DoD contracts will need to be CMMC Certified. The first clause (DFARS 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement) is to be used in DoD contracts that need immediate CMMC Certification, i.e., a full third-party assessment conducted and the issuance of a CMMC Certification. As mentioned above, the USD(A&S) will determine which contracts are subject to this requirement. The second DFARS clause (DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements) is to be used on the remaining contracts, i.e., the majority of contracts over the next five years.

This second clause is likely to raise immediate concerns for some DoD contractors. Although industry has been anticipating the CMMC rollout, DoD has not previously explained the requirements that contractors will be subject to while the rollout is ongoing. This new clause requires contractors to immediately post Assessments of their cybersecurity compliance on the DoD’s Supplier Performance Risk System (SPRS) to provide DoD Components with visibility into the scores of Assessments already completed, and to verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment on record prior to contract award. The Assessments will reflect the NIST SP 800–171 security requirements. As a practical matter, many DoD contractors already are subject to these requirements under their existing contracts. However, posting the required Assessment may pose a significant administrative burden for contractors that have not recently assessed their level of compliance. Additionally, the clause prohibits contractors from awarding subcontracts, or any other contractual instruments, to subcontractors that have not also reported their Assessment to the DoD website.

The second clause contains three Assessment levels: Basic, Medium and High. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the DoD, e.g., by the Defense Contract Management Agency (DCMA) or a specific awarding organization. Under the Interim Rule, Basic Assessments will result in a confidence level of “Low” because it is a self-generated score. The Interim Rule implies that procurements will require a certain Assessment level, but it does not provide details on whether or how this will be done.

This second clause raises several novel issues for contractors. For example, contractors subject to the second DFARS clause (DFARS 252.204-7020) potentially could face liability for a self-Assessment that is improperly conducted or reported. Contractors also potentially could be held responsible for the credibility of their subcontractors’ self-reported Assessments. Similarly, contractors may have concerns regarding their ability to challenge an Assessment performed by the DoD under this new DFARS clause. Although the Interim Rule allows contractors 14 days to submit additional information following a DoD Assessment, the Interim Rule does not explain the mechanism or format for challenging a DoD Assessment. Additionally, there could be competitive implications related to contractors scheduling a Medium or High confidence level Assessment by the Government, for example if certain competitors are able to schedule a DCMA Assessment in a timely manner and others are not. Finally, contractors should consider the potential Bid Protest implications of contractor Assessment being used to make contract awards, e.g., how posted Assessment scores may limit competition, if and how they are will be used in Best Value determinations, and how the Assessment score of proposed subcontractors could be used to make award decisions.

All of the potential issues raised by this new Interim Rule have yet to present themselves, but it is critical that contractors begin the process of ensuring that they are eligible to compete for future awards. This may include performing/obtaining either: (1) a contractor performed self-Assessment; (2) a Government performed-Assessment; or (3) a full third-party CMMC compliance assessment. Either way, DoD’s new cybersecurity requirements are changing how contractors can win contract awards, and those who are not able to demonstrate their compliance may risk losing future opportunities.