John A. Ellis, Director of the Defense Contract Management Agency (DCMA) Software Division presided over a webinar with Ardalyst Mar. 3rd to assist the company’s efforts to help defense contractors understand the new Defense Acquisition Regulations System (DFARS) interim rule, requirements, and assessment methodology.
With the new DFARS interim rule, defense contractors are facing increased scrutiny of their organizations’ cybersecurity programs and a larger obligation to demonstrate that they are compliant with the 110 controls defined in NIST SP 800-171. The new rule includes provisions to follow a prescribed DoD assessment methodology in self assessing your cyber program’s compliance and also to potentially submit to a more detailed analysis by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Ellis began the webinar by digging deeper into the interim rule. The interim rule – released in September 2020 and officially in effect November 30, 2020, is designed to solidify CMMC as the new framework for DoD contracts. It instructs contractors to perform a self-assessment of their cyber program’s NIST 800-171 compliance and report their score to a government database. With these dual mandates, the interim rule looks to address defense companies’ security and compliance gaps and provide an onramp for the rollout of CMMC.
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 will be impacted by the requirements described in the interim rule. Under that DFARS -7012 clause, defense contractors who handle CUI must adhere to NIST SP 800-171 cybersecurity controls. The interim rule introduces three new clauses (7019,7020 and 7021) focused primarily on strengthening NIST SP 800-171’s self-assessment requirement and smoothing the transition to CMMC.
As part of the self-assessment requirement, companies are reminded that they have to put their results in the Supplier Performance Risk System (SPRS). Ellis said that as of last week, more than 11,000 companies have entered assessments.
Ellis was quick to remind all companies that they have to be fully compliant with NIST 800-171 to meet your eventual level 3 CMMC requirement. “Under CMMC, you can’t have un-met requirements,” Ellis said. “Under the current methodology, you can put in a score of less than 110 (the highest possible self-assessment score), but you have to put in a Plan of Action and Milestones (POA&M) completion date. This should signal to everyone that they should stop waiting … get CMMC compliant now.”
Ellis clarified DCMA’s and DIBCAC’s roles in these processes as well. DCMA has the responsibility to administer contracts that have been delegated to it by the military services and federal agencies. They manage thousands of contracts, provide industrial expertise for process flows and ensure deliverables are meeting contractual requirements, among other critical missions. DIBCAC was formed in 2019 at the direction of Ellen Lord, the former Under Secretary of Defense for Acquisition and Sustainment, to conduct enterprise-level assessments. DIBCAC refines the processes for DCMA and averages 110 assessments per year, despite the prevalence of the Covid-19 pandemic.
Ellis said that DCMA has been involved in the development of CMMC since day zer0, and the progress is on glideslope and schedule with what DoD’s original plans were.
“Today we are taking the baby steps to start the 5-year phased roll-out of CMMC,” Ellis said. “The first assessment of a third-party assessor is taking place next week. CMMC is right on schedule.”
As far as advice for companies looking for assistance with CMMC compliance and understanding of the DFARS interim rule, Ellis provided a few goals posts for which these companies can aim.
1 – Have a POA&M.
“A POA&M is important for companies to have a self-accountability tool in order to get yourself compliant, Ellis said. “It’s all about preparation, being informed and holding yourself accountable. This is just one small part of the importance of what we’re doing as a community. This is a team sport. We rely on industry … industry relies on us … and companies need to do their part to protect information. Self-assessments and POA&Ms are a big part of that.”
2 – Work with the Assessors … and use the guide!
“Our assessment at DIBCAC is based on how the company describes and defines their own enterprise. We assess big companies or mom and pop shops. The scope of the assessment is done through coordination with the company pre-assessment. We have to come to an agreement with what is in scope and out of scope,” Ellis said. “The artifacts we look for are all things described in the assessment guide – 800-171A. The guide shows in black and white what the criteria is and what the assessors will ask you. Because there is so much clarity in 800-171 … companies can be hyper-accurate with their self-assessment and what their eventual DIBCAC score will be.”
3 – Be careful who you hire.
“You can’t buy ‘800-171 in a can.’ There are companies out there trying to sell a compliance product. You buy it and think you’ll be covered … but you need more … training, certification and structure … and you have buy-in and participation from all levels of your organization,” said Ellis. “This is a comprehensive set of requirements. And you need to comply with all of them. If you need help, reach out to mature companies who understand all of this.”
Ardalyst will be hosting a series of CMMC-related webinars throughout the year. More events will be coming soon and posted at ardalyst.com/cybersecurity-events.
