Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • Into the unknown: DoD's long-awaited cybersecurity rule leaves critical questions unanswered
Website_Hero_Abstact_Architectural_Ceiling_P_0089_Mono
4 October 20208 minute read

Into the unknown: DoD's long-awaited cybersecurity rule leaves critical questions unanswered

Written by:Dawn Stern

On September 29, 2020, the US Department of Defense (DoD) published its long-awaited interim cybersecurity rule that includes (1) an assessment and reporting system to evaluate contractors’ current compliance with NIST SP 800-171, as required by DFARS 252.204-7012; and (2) the rollout of the Cybersecurity Maturity Model Certification (CMMC) Framework into DoD solicitations.

 

While the regulations track much of what has already been shared with industry regarding these initiatives, the rule leaves open a number of critical questions.  These unanswered questions are particularly concerning because the rule was issued as an interim, rather than a proposed rule – meaning that the rule will take effect before DoD has an opportunity to consider and respond to comments from industry.

 

Background

 

At a high level, prior to the interim rule, the cybersecurity requirements placed on contractors to protect information flowing through its IT systems were governed by two regulations.  First, FAR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, required contractors to protect Federal Contract Information (FCI), a broad category of information, by implementing 21 security controls designed to ensure a basic level of cybersecurity hygiene Second, DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, required contractors that processed, stored, or transmitted Covered Defense Information (CDI), a more limited category of information, to protect that information by implementing the 110 cybersecurity controls set forth in National Institute of Science and Technology (NIST) Special Publication (SP) 800-171. 

 

Neither the FAR nor DFARS clause provided a process for DoD to verify a contractor’s implementation of the applicable requirements.  And, based in part on a DoD Inspector General report, DoD determined that the status quo was unacceptable and left data regarding critical defense technologies vulnerable to malicious actors.  In particular, DoD recognized that the existing system allowed contractors to certify compliance with DFARS 252.204-7012 without actually having implemented all of the 110 security requirements or establishing an enforceable timeline for addressing any gaps. 

 

Thus, DoD began developing the two-pronged methodology that is the subject of the interim rule.

 

NIST SP 800-171 DoD Assessment Methodology

 

Per the rule, beginning on November 30, 2020, new DoD solicitations will contains DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and resulting contracts will include DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.  This includes commercial item contracts (although COTS item contracts are exempted).  DoD anticipates that it will take three years to fully implement these requirements in its contracts.

 

These sections state that to be eligible for contract award, at a minimum, contractors must perform a "Basic Assessment" which involves a self-evaluation of a contractor’s implementation of the 110 NIST SP 800-171 controls.  The self-assessment is performed using a specific scoring methodology, and contractors are required to report their score to DoD.  This Basic Assessment must be conducted once every three years.  Additional information regarding the self-assessment is available here

 

In addition to the Basic Assessment requirement, solicitations (and resulting contracts) involving more sensitive information may require Medium or High Assessments. These are assessments that DoD, not the contractor, may perform during contract performance.  DoD anticipates that it will conduct 200 Medium Assessments and 110 High Assessments each year.

 

CMMC Framework

 

The interim rule also provides for the introduction of CMMC requirements in newly issued solicitations through the inclusion DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. 

 

CMMC is a five-level framework under which contractors’ IT systems undergo an audit by an approved independent third-party auditor.  That auditor, in turn, certifies the contractor at one of the CMMC levels.  DoD solicitations (other than those for COTS items or under the micro-purchase threshold) will include a CMMC-level requirement and require contractors, by the time of contract award, to be certified at or above the solicitation’s requisite CMMC level. 

 

The interim rule clarifies that while CMMC requirements will begin to appear in solicitations on November 30, 2020, the requirement is subject to a five-year phase-in period.  Thus, DoD explains that it will not include the requirement in all solicitations until October 1, 2025. 

 

The new clause must be flowed down to subcontractors and requires a prime contractor to verify that its subcontractors have reported CMMC certificates "at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor."

 

Outstanding issues and takeaways

 

While many aspects of the interim rule are consistent with what DoD has shared with industry during its development of CMMC, the rule leaves a number of critical questions unanswered. To illustrate:

 

  • How do contractors know what information is considered to be CUI?  The interim rule does not establish a process by which contracting officers are to identify CUI. Since the implementation of DFARS 252.204-7012, contractors have been frustrated by contracting officers who refuse to engage regarding the scope of CUI under a contract or, otherwise, overly designate information as CUI in an attempt to shift the burden to the contractor. While DoD recently issued internal guidance regarding the marking of CUI, the interim rule’s silence on this point leaves contractors wondering whether its ongoing frustrations will be addressed as CMMC is rolled out.
  • How do prime contractors determine which level of certification is required of their subcontractors?  The interim rule requires prime contractors to verify that its subcontractors have CMMC certificates at the "appropriate level," but does not define that term. Thus, prime contractors are left to determine whether, and to what extent, its subcontractors will receive CUI during the performance of a contract. Such a determination is particularly difficult when, as detailed above, contracting officers often refuse to engage with contractors regarding the scope of CUI under a contract.
  • How will DoD determine which CMMC level to include in solicitations? CMMC certification levels range from Level 1, which covers "basic" cybersecurity practices, to Levels 4 and 5, which are geared to reduce the risk posed by sophisticated adversaries (i.e., "Advanced Persistent Threats").However, DoD has not released guidance that will allow contractors to reasonably predict the level of CMMC required for a given procurement. In addition, it is unclear the extent to which a solicitation’s CMMC level may be driven by the risk tolerance of a given contracting officer.
  • What is the interplay between the interim rule and FedRAMP?  For cloud service providers that have obtained Federal Risk and Authorization Management Program (FedRAMP) certification, the interim rule presents an arguably duplicative or unnecessary, compliance requirement. While DoD has suggested that FedRAMP and the CMMC Accreditation Body may reach a reciprocity agreement, no such agreement exists at this time.
  • How will foreign companies obtain CMMC certification?  DoD intends for CMMC to apply to all DoD contractors, including foreign entities within the DoD supply chain. While this policy seems reasonable on its face in order to achieve the goal of protecting DoD information, it creates logistical issues. For example, foreign entities are unlikely to want to invite a US citizen third-party assessor to conduct a detailed audit of its IT systems, yet DoD is unlikely to allow non-US citizens to serve as CMMC assessors.
  • What is the potential liability for contractors related to the interim rule?  While industry recognizes the importance of partnering with DoD to ensure the safeguarding of critical defense information, there is always concern that doing so could create False Claims Act or other liability for contractors. This concern is heightened under an interim rule that requires a contractor to report the results of its Basic self-assessment and, in turn, face a Medium or High Assessment from the Government that could reach a different result. Similarly, contractors question whether there is potential liability if their self-assessment concludes that they are fully compliant with NIST SP 800-171, but they are subsequently unable to obtain a Level 3 CMMC certification. The current rule does not provide any guidance or protection for contractors on these issues.

Comments on the interim rule are due by November 30, 2020.  DoD has specifically asked industry to comment on how the requirement to obtain certification by the time of contract award will impact small businesses.  However, as the above illustrates, there may be many other issues to address through the submission of comments.  To learn more about these issues and the implications of the interim rule for your business, please contact either of the authors or your DLA Piper relationship lawyer.

Related Capabilities

Data, Privacy and CybersecurityTechnology and Commercial TransactionsTechnology
Print
Legal noticesPrivacy policyCookie policyModern slaveryFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper