Request a Demo

CMMC in Higher Education: Complete Guide

SaltyCloud Research Team

Updated Jan 31, 2021 Read Time 11 min

TL;DR:

The DoD’s DFARS Interim Rule introduces new contract clauses to facilitate the phased rollout of CMMC and requires contractors (including higher education institutions conducing DoD-sponsored research) to have an SSP, report compliance with NIST SP 800-171 on SPRS, and provide a timeline for full compliance prior to contract award.

The Department of Defense (DoD) released the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule on September 29, 2020, and went into effect on November 30, 2020.

The DFARS Interim Rule introduces several new contract clauses (252.204–7019, 252.204–7020, and 252.204–7021) to enable the five-year phased rollout of the Cybersecurity Maturity Model Certification (CMMC) on October 1, 2025.

Specifically, the DFARS Interim Rule requires contractors to have a System Security Plan (SSP), quantify their compliance with the NIST SP 800-171, self-report that status on the Supplier Performance Risk System (SPRS), and a timeline for full compliance, prior to a new contract award or exercise of a contract option.

Higher Education Institutions that conduct DoD sponsored research are required to comply with the DFARS Interim Rule.

What is the purpose of the DFARS Interim Rule?

TL;DR:

The DFARS Interim Rule initiated the phased rollout of CMMC, requiring contractors to complete a NIST SP 800-171 self-assessment using the Assessment Methodology and report the score to SPRS until September 30, 2025, and eventually be Level 1 certified for FCI with 17 practices or Level 3 certified for CUI with 130 practices and related policies, as well as provide proof through multiple forms of evidence for each practice.

The purpose of the DFARS Interim Rule was to kickstart the five-year, phased rollout of the Cybersecurity Maturity Model Certification (CMMC). Prior to the Interim Rule, DFARS 252.204-7012 required any contractor with systems that stored or transmitted Controlled Unclassified Information (CUI) to agree to be compliant with NIST SP 800-171. In the interim period (November 30, 2020–September 30, 2025), contractors will need to complete a NIST SP 800-171 self-assessment using the NIST SP 800-171 Assessment Methodology and report the score to the SPRS.

In the future, all contractors will need to be Level 1 certified at the least for Federal Contract Information (FCI) which entails 17 practices. Those contractors that receive, create, or transmit CUI will need to be Level 3 certified which entails 130 practices and related policies. Contractors will also need to demonstrate proof by documenting multiple forms of evidence for each practice.

Who is required to comply with the DFARS Interim Rule?

Any prime contractor or subcontractor for the DoD who handles Controlled Unclassified Information (CUI) will need to comply with the new DFARS Interim Rule. This includes research labs, and their subsequent systems, in Higher Education Institutions that conduct DoD research.

Are Higher Education Institutions exempt from the DFARS Interim Rule?

TL;DR:

Higher Education Institutions are not exempt from the DFARS Interim Rule or the CMMC.

No, Higher Education Institutions are not exempt from the DFARS Interim Rule or the CMMC. During the CMMC Virtual Summit hosted on September 15, 2020, Katie Arrington, CISO at the Office of Acquisition and Sustainment, indicated that fundamental research conducted at Higher Education Institutions as part of DoD contracts would fall under CMMC Level 1. EDUCAUSE and several other organizations have urged the DoD to consider excluding Higher Education Institutions from the DFARS Interim Rule and the CMMC, however, the DoD has not replied to the comments.

What is included in the DFARS Interim Rule?

TL;DR:

The DFARS Interim Rule includes three new clauses: Notice of SP 800-171 DoD Assessment Requirements, NIST SP 800-171 DoD Assessment Requirements, and Cybersecurity Maturity Model Certification Requirements.

The DFARS Interim Rule introduces three new clauses (7019, 7020, 7021).

  • DFARS 252.204–7019, Notice of NIST SP 800–171 DoD Assessment Requirements
    • This clause provides notice to contractors of their requirement to maintain a record of their NIST SP 800-171 compliance within the SPRS. As per the NIST SP 800-171 Assessment Methodology required by DFARS 252.204–7012, this means that contractors will need to have a Basic, Medium, or High assessment completed every three years and maintain a record of it on the SPRS. Contractors will start with a Basic assessment, which is a self-assessment. However, depending on the criticality of the program or the sensitivity of the information being handled by the contractor, contractors may be subject to a Medium or High assessment conducted by the Defense Contract Management Agency (DCMA)
  • DFARS clause 252.204–7020, NIST SP 800–171 DoD Assessment Requirements
    • This clause requires a contractor to provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a Medium or High assessment. Furthermore, the clause also requires the contractor to ensure that subcontractors also have the results of a current NIST SP 800-171 assessment posted in SPRS prior to awarding a subcontract or other contractual instruments. Finally, the clause also states that for Medium and High assessments, contractors have a 14 day period to provide additional information to demonstrate that they meet any security requirements not observed by the assessment team or to rebut the findings that may be of question.
  • DFARS clause 252.204–7021, Cybersecurity Maturity Model Certification Requirements
    • This clause codifies the CMMC into the federal regulatory framework, aligning with the five-year phased rollout of CMMC. The clause states that all contracts, solicitations, task orders, or delivery orders will include CMMC requirements by October 1, 2025, except for those that are solely for the acquisition of Commercially available off-the-shelf (COTS) items. Until then, the inclusion of CMMC requirements must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S).

Are there penalties associated with the DFARS Interim Rule?

TL;DR:

The penalties associated with the DFARS Interim Rule include the inability to receive contracts or award subcontracts, potential liabilities under the False Claims Act, and limited competition for less favorable assessment scores.

Yes, there are several possible penalties associated with the DFARS Interim Rule.

  • Contractors will not be awarded contracts, nor can they award subcontracts, unless they and their relevant subcontractors have demonstrated compliance with the NIST SP 800-171 security controls on the SPRS.
  • As per the False Claims Act, contractors could face potential liabilities for a self-assessment that is improperly conducted or reported. And although not directly stated anywhere, contractors could possibly be held responsible for self-assessments submitted by their subcontractors.
  • Less favorable assessment scores may lead to limited competition, if and how they will be used in best value determinations for contract awards.

How does the NIST SP 800-171 Assessment Methodology work?

TL;DR:

The NIST SP 800-171 Assessment Methodology assigns a score based on the contractor’s implementation of 110 controls, and includes three levels: Basic, Medium, and High.

The NIST SP 800-171 Assessment Methodology creates a definitive scoring system by which the DoD can strategically assess a contractor’s implementation of NIST SP 800-171 and thus gain an understanding of their security posture. The highest score you can get is a 110, which reflects full implementation of all 110 controls in NIST SP 800-171. However, if a specific control is not implemented, the score is reduced and in some cases by more than just a single point. This means a negative score is possible. There are 42 controls worth 5 points, 14 controls worth 3 points, and 54 controls worth 1 point. Contractor’s that submit a score lower than 110 are also required to submit the exact date they expect to receive the perfect score.

Another facet of the NIST SP 800-171 Assessment Methodology is the three distinct levels of assessment that result in varying degrees of confidence.

  • Basic Assessment
    • This assessment is a self-assessment that results in a “low” level of confidence.
  • Medium Assessment
    • This assessment includes a review of your System Security Plan (SSP) by the DCMA and results in a “medium” level of confidence.
  • High Assessment
    • This assessment includes an on-site or virtual assessment by the DCMA and results in a “high” level of confidence.

What steps can I take to comply with the DFARS Interim Rule?

TL;DR:

To determine whether the entire organization needs to meet NIST SP 800-171 compliance, Higher Education Institutions with individual DoD sponsored research labs should adopt an “enclave approach” and only secure the specific research labs that handle CUI data, creating a specific SSP for each CUI enclave, conducting a pre-assessment, documenting evidence of compliance and other artifacts, and submitting the initial score into the SPRS to be awarded contracts under the Interim Rule, with the possibility of requiring a medium or high assessment afterward, while also using the five-year interim period to prepare for the CMMC and track progress to full compliance using a GRC Assessment Platform.

  1. Evaluate your organization and determine whether the whole organization will need to meet NIST SP 800-171 compliance. For Higher Education Institutions with individual DoD sponsored research labs, this is usually not the case. This means you can adopt what is called an “enclave approach”. By leveraging this approach, Higher Education Institutions only need to worry about securing the specific research labs that handle Controlled Unclassified Information (CUI), or “CUI enclaves”. When in doubt, it helps to follow the data—determine where CUI data is store and map out how it moves throughout the organization or between the organization and subcontractors.
  2. For each CUI enclave, you’ll need to create a specific System Security Plan (SSP) that covers the specific systems, people, and locations that involve the specific CUI. If you need help scoping your CUI enclave, the CMMC Accreditation Body (CMMC-AB) provides a marketplace of practitioners that can help you.
  3. Once your CUI enclaves are defined and SSPs created, we recommend conducting a pre-assessment. The pre-assessment is for internal use only and will help you identify compliance gaps in your CUI enclave. You’ll be able to understand what controls are missing, make strategic decisions about how to implement those missing controls, and begin working on a POA&M if necessary. You can also leverage the pre-assessment to document evidence of compliance and other artifacts. These are important in case of a DMCA audit or to prepare for other third-party assessments including the CMMC. You can leverage a GRC Assessment Platform like Isora GRC to help you streamline your assessment workflow and collect evidence.
  4. You will need to submit your initial score into the SPRS in order to be awarded contracts under the Interim Rule. As you implement new controls you can update your score on the SPRS to reflect your current progress. As of now you’ll need to provide the following in the SPRS:
    • Date assessment was completed
    • Assessment score (< or = 110)
    • Scope of assessment (e.g., Enterprise, Enclave, or Contract)
      • Contracts – Contract specific SSP review
      • Enterprise – Entire company’s network under the CAGEs listed
      • Enclave – Standalone under Enterprise CAGE as business unit (test enclave, hosted resources, etc.)
    • POA&M completion date (the specific calendar date at which you predict to attain a score of 110)
    • Included CAGEs (CAGEs you are reporting that are covered by the SSP)
  5. After you’ve submitted your basic assessment, the contract may require a medium or high assessment. An assessor from the DCMA will be assigned to your organization to complete either assessment.
  6. Finally, although not explicitly required just yet, this five-year interim period should be used to prepare for the CMMC. If you treat CMMC as a maturity model, meeting compliance with NIST SP 800-171 roughly aligns with CMMC Level 3. If you’re using a GRC Assessment Platform like Isora GRC, you can work off of your initial NIST SP 800-171 assessments to help you implement the additional controls required for a higher-level CMMC or track the progress to full compliance at the level your organization intends to get certified.

How Isora GRC from SaltyCloud can help

TL;DR:

Isora GRC from SaltyCloud is the powerfully simple CMMC solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in May 2023.

Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace CMMC compliance audits with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors and leadership.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect CUI and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
  • Minimize third-party risk with a complete vendor inventory, vendor risk assessment surveys, and vendor approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.

 

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

All you need to know about the CMMC, its framework, compliance requirements, and practical tips for defense contractors.

Everything you need to know about the NIST 800-171 Basic Assessment and the steps you can take to build a compliance process.

This Complete Guide provides step-by-step instructions for scoping FCI and CUI to make NIST 800-171 and CMMC compliance more efficient and cost-effective.

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with a
collaborative GRC platform