DoD Cybersecurity Requirements Update #4

This is the fourth in a series of blog posts on the Interim Rule regarding cybersecurity issued by the Department of Defense (“DoD”) that went into effect on November 30, 2020 (see prior blogs (1st) (2nd) (3rd)). The Interim Rule relies upon the National Institute of Standards and Technology (“NIST”) 800-171 for compliance with cybersecurity. This blog discusses two of the three new DFARS clauses, 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements and 252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

Both clauses rely upon the classifications from NIST 800-171 of Low, Medium and High. These terms relate both to the impact on the Government (and potentially a contractor if the information relates to contractor information) if the information that is being protected is released and the potential weaknesses of the information system. The final score is usually a combination of the intrinsic value of the information and the confidence that the information is suitably protected. Thus, for example you might have a Medium “intrinsic” value and a Low “confidence,” which results in a Medium, Low score. If the information to be protected is Medium, but the confidence is low, then the discloser of the information should not disclose the information. However, a finding of Medium intrinsic and High or Medium confidence means that the information can be released.

It is this basic concept that DFARS 252.204-7019 addresses. In order for the Government to make a determination as to who it should release information to, it wants to make sure that the proper cybersecurity controls are in place. Thus, the clause requires all contractors whose contracts required (or if in the procurement phase requires) the contractor to implement NIST 800-171 to have a “current assessment (i.e., not more than 3 years old …) for each covered contractor information systems that is relevant to the offer, contract, task or delivery order.” DFARS 252.204-7019(b). The results of such assessment must be posted in Supplier Performance Risk Assessment System (“SPRS”).

Essentially all DoD contractors should perform a Basic self-assessment of their information systems that may contain any information for a DoD contract. An excel worksheet (Attachments: (NIST SP800-171 DOD Assessment Methodology 9.22.20.xlsx”) to perform the assessment is available online at DAU. Companies may self-certify to compliance with a Basic Assessment and upload their Summary level scores to SPRS (if they do not have access to SPRS, the scores may be sent to webptsmh@navy.mil for posting). For companies who require a Medium or High Assessment, the Government will do the assessment, either DCMA or a specific DoD organization who will upload the final summary scores to SPRS. All Basic assessments results in a confidence level of Low since they are self-assessments.

The difference between the different assessments is provided in DFARS 252.204-7020. Both the Medium and High assessments include a review of a contractor’s Basic assessment, a through document review, and discussions with a contractor to obtain additional information or clarification as needed. This results in a confidence level of Medium. A High confidence level assessment adds “(iii) Verification, examination, and demonstration of a contractor’s system security plan to validate that NIST SP 800–171 security requirements have been implemented as described in the contractor’s system security plan.”

In summary, if you are a DoD contractor and you have any contracts that included DFARS 252.204-7012 or are bidding on any contracts that will include this clause – regardless of whether or not access to Controlled Unclassified Information (“CUI” see the 3rd Blog) is included in the contract’s requirements, you must have an assessment uploaded into the SPRS in order to be awarded a new contract or issued any new modifications or options on an existing contract.

For more information on this issue, contact MWL Counsel Johana “Jody” Reed.