Third-Party Cybersecurity Assessments Potentially Coming Soon to Department of Defense
Contractors that do business with the U.S. Department of Defense (DoD) and handle Controlled Unclassified Information (CUI) have been awaiting the issuance of a rule implementing the Cybersecurity Maturity Model Certification (CMMC). CMMC would require third-party assessments confirming contractors are compliant with the security controls in the National Institute of Standards and Technology's (NIST) Special Publication (SP) 800-171.1 Contractors that do not have CUI would be permitted to conduct annual self-assessments to validate the controls outlined in Federal Acquisition Regulation (FAR) 52.204-21.
Even without CMMC, DoD contractors that handle CUI must comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Among other things, the DFARS regulation requires that contractors be compliant with NIST SP 800-171.
NIST SP 800-171 is currently in its second revision, and the NIST is currently in the process of revising it and issuing Revision 3. The third revision is expected in the first half of 2024. NIST recently released a draft of the third revision, which emphasizes supply chain compliance. Interestingly, one of the new controls is a requirement that contractors obtain third-party verification that they are compliant with the remainder of the controls in NIST SP 800-171. More specifically, Control 3.12.5, "Independent Assessment," requires contractors to "use independent assessors or assessment teams to assess controls." While the control does not specify how often such an assessment must take place, presumably a reassessment should occur whenever there is a material change to the contractor systems housing CUI. In fact, Control 3.12.1 states that assessments must be "current," which implies that they should reflect the current state of the information system.
The Independent Assessment control also emphasizes that assessors must be independent and free from perceived or actual partiality. To achieve this, assessors should not have developed or maintained the system being assessed and cannot be members of the organization being assessed.
In a vacuum, this newest revision of NIST SP 800-171 is interesting but not impactful. But DFARS 252.204-7012 specifies that the applicable version of NIST SP 800-171 is the one that is current at the time of the issuance of a solicitation:
the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.
That means, as soon as the new version of NIST SP 800-171 is issued, contractors responding to solicitations will have to comply with it as soon as performance begins. This includes the control requiring a third-party assessment.
Potentially, contractors can avoid these new requirements in three circumstances: 1) a waiver from a contracting officer, 2) the issuance of a class deviation from DoD that would point DFARS 252.204-7012 back to NIST 800-171 Revision 2 for a period of time or 3) successfully arguing the DoD policy in Title 32 of the CFR controls. Title 32 is static and would need to be revised to include the newer version of NIST 800-171. None of this is a given, however.
Contractors that handle CUI and are currently subject to (or expect to be subject to) DFARS 252.204-7012 would be wise to begin reviewing the proposed revision of NIST 800-171 (which could still change) to ensure they are prepared to comply if a final version is issued and a waiver or class deviation is not forthcoming.
1 It is important to note that CMMC's delay does not obviate required compliance with NIST SP 800-171. CMMC's delay only delays a third-party verification of current requirements. Revision 2 of NIST SP 800-171 does allow for the mitigation and correction of "individual, isolated, or temporary deficiencies" utilizing plans of action under control 3.12.2. Proposed Revision 3 has a similar control (also at 3.12.2).