DOD planning to use NIST 800-171 as evaluation criteria for contracts prior to CMMC rule

River entrance of the U.S. Department of Defense. (Getty Images)

While the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) 2.0 rule likely won’t be finalized and put into effect until next spring, defense contractors may soon have to show compliance with existing federal standards for handling the department’s controlled unclassified information as part of the evaluation criteria for contracts.

The National Institute of Standards and Technology‘s SP 800-171 is a framework for how organizations should protect federal controlled unclassified information, and its 110 security practices will be the core requirements under CMMC — the DOD’s program for protecting its information that is shared with contractors. Once the Pentagon’s rule for CMMC goes into effect, likely in May of 2023, contractors who don’t meet the requirements of the program will be forbidden from working with the DOD.

But in the meantime, the department is planning to look at contractors’ compliance with NIST SP 800-171 as part of the evaluation criteria for competitive procurements, said Stacy Bostjanick, chief of implementation and policy reporting to the DOD chief information security officer.

“Right now, [NIST SP 800-171 compliance] is not going to impede you from garnering an award with the federal government. But we are going to start looking at it as an evaluation criteria” for contracts, Bostjanick said at a CMMC conference hosted Tuesday by NeoSystems in Alabama. “So it could have implications for you moving forward and your position on a competitive procurement.”

Bostjanick said John Tenaglia, the principal director of defense pricing and contracting, “has given direction to his contracting officers to start paying more attention” to the NIST standards.

Up to this point, both contractors and contracting officers have been “lackadaisical” about meeting the standards set by NIST SP 800-171 as “part of the responsibility determination” for contracts, she said.

“Is it being used to make award decisions? Not yet,” Bostjanick said, emphasizing that will likely soon change. “Mr. Tengalia, as part of his guidance to contracting officers, is to start looking at that and taking that into consideration.”

She said the department has the authority to account for this as part of a contract’s evaluation criteria, but it just hasn’t had the right “verbiage.” However, Bostjanick’s team within the DOD CISO’s office “might have happened to pass something over to them to help them, to say this is an evaluation criteria, right? And we’re going to use this as part of our determination factor for award, because we’re going to evaluate your compliance and security of your networks.”

In fact, it’s been part of federal law under the Defense Federal Acquisition Regulation Supplement (DFARS) for several years, she said. “The only difference is somebody might come check your homework. And it is high time that we get off our duffs and get the implementation done that you were supposed to have done and you agreed to when you signed that contract” that has DFARS clause 252.204-7012.

“We need to pay attention to this, we need to get moving on it, and we’ve got to stop procrastinating,” Bostjanick said, adding that people have become vocal with their concerns only now that DOD has said, “we’re coming to look and check.” She added: “That’s not acceptable.”

So, as contractors anticipate CMMC implementation next spring, it’s as good a time as ever to start getting things in order to attest — truthfully — that they meet the 110 requirements under NIST SP 800-171, Bostjanick and her co-panelists at the event said Tuesday.

“Do yourself a favor: Hold yourself accountable. Do not overrate yourself and put something in [the Supplier Performance Risk System] and give yourself a false sense of security, assuming that nobody’s ever going to look,” said John Ellis, director of the Defense Industrial Base Cybersecurity Assessment Center. “Don’t do that. Don’t be that company. I’m not going to sit here and threaten you or I’m not going to tell you doom and gloom things, but that could happen.”

Bostjanick backed Ellis’ thoughts: “Hold yourself accountable, be realistic, be honest where you are, because at the end of the day, 95% of this for the government is being able to understand and manage the risk,” she said.

“There’s a potential that they could say, ‘OK, we get that you’re not there, but we need your capability. But now that we understand where you really are, we can help you manage that risk and we can manage the risk to the nation by coming up with an alternative plan to protect that data until you can get certified,'” she added.

For those small and medium-sized contractors that may need help on that journey to compliance, larger IT firms — cloud service providers in particular — may be able to help them get there in a cost-effective manner. The DOD is looking to such firms to make CMMC less burdensome for smaller contractors, CISO Dave McKeown said last week at DefenseScoop’s DefenseTalks conference.