Three Defense Federal Acquisition Regulation Supplements (DFARS) related to the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) are set to become permanent rules shortly, Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said April 15.
At Amazon Web Services’ (AWS) virtual Public Sector Summit, Arrington said DFARS Provision 252.204.7019, DFARS Clause 252.204.7020, and DFARS Clause 252.204.7021 will all become permanent shortly. The first two relate to DoD assessment requirements, while the latter is tied to CMMC requirements.
All three of the soon-to-be-permanent rules started as interim rules in September 2020 and went into effect on November 30, 2020. Arrington said, “[DoD is] finishing out the adjudication of the comments to go to the final rules.”
The CMMC program aims to enforce cybersecurity standards of varying levels up and down the Defense Industrial Base (DIB) supply chain, and DoD is in the process of baking those certification requirements into all DoD contracts by 2026. The program is still in its pilot stage and is currently under internal review, though Arrington noted the first request for proposal has already closed.
DFARS Provision 252.204.7019 requires contractors to complete a self-assessment and input their summary level score into the DoD’s Supplier Risk Performance System (SPRS). That self-assessment will need to be redone every three years.
DFARS Clause 252.204.7020 is a clause that kicks in post contract award. The clause requires all contractors affected by Clause 252.204.7012 – which requires contractors to provide adequate security to any covered defense information that is “processed, stored or transmitted” on the contractor’s network – to allow DoD access to systems, facility, and personnel if DoD decides a medium or high assessment is necessary.
Arrington said these rules are all crucial to the “crawl, walk, run” rollout DoD is shooting for with CMMC implementation.
“The crawl, taking the self-assessments, and recording the walk, having the department come in and say, let’s look at what you’re doing and make sure you’re on the right path, which leads to the run, which is the deeper,” Arrington said.
That “run”, as Arrington called it, is the DFARS Clause 7021, which is the actual implementation of the CMMC in DoD contracts. That final clause requires CMMC to be included in all contracts starting October 1, 2025.
“So, think about that. 300,000 companies need to get CMMC certified in the next five years,” Arrington said. “That’s a pretty heavy lift. When we started this program … we thought carefully about this, and making cybersecurity foundational to acquisition wasn’t something that we just thought, ‘Let’s do it one time.’ It has to be an enduring capability.”