In November 2010, Executive Order 13556 established a program for managing and protecting Controlled Unclassified Information (CUI), with the National Archives and Records Administration serving as the executive agent to implement and oversee agency actions to ensure compliance. This, in turn, was followed by the release of several Defense Federal Acquisition Regulation Supplements (DFARS) that put the Cybersecurity Maturity Model Certification (CMMC) program in place. A primary requirement is for contractors to provide adequate security and report incidents within 72 hours. It is then NIST SP 800-171 that defines adequate security and the incident reporting process.
This process that began in 2010 with the requirement for protecting CUI was to culminate by December 31, 2017. By that date, all contractors who handled CUI were to be compliant or working towards compliance by DFARS 252.204.7012. Needless to say, this rollout has not quite worked out as planned.
The requirement to adequately protect CUI and report relevant incidents has been around for several years. It is also fair to say that industry has ignored the compliance requirements; equally, the government has ignored its requirement to define and identify CUI. Often the contractor is left with a requirement to expend effort on information that can not be identified or does not exist.
As this program has lurched forward, it has changed markedly, from CMMC version 1.0 with five levels of compliance and a maximum of 171 requirements to CMMC version 2.0 with three levels and a maximum of 145 requirements.
What has also changed is that the Department of Justice is now involved through the False Claims Act (FCA). The law originated during the Civil War and was used to charge contractors who knowingly submitted false claims. Over the last century and a half, it has been amended. It now allows private citizens to file suits on behalf of the government against those who have defrauded the government.
The 2015 Aerojet Rocketdyne False Claims Act case is a prime example. A whistleblower brought an action against Aerojet Rocketdyne, claiming the company knowingly misrepresented its security controls and practices and knowingly failed to timely report a suspected cyber incident. In other words, the company knowingly failed to provide adequate security for CUI and report an incident involving CUI. In February 2022, the court decided on a summary judgment. It did not resolve the allegations of false claims and did not deny the Aerojet Rocketdyne defense. The court found there were facts in dispute that could be resolved by trial.
In November 2021, there was the release of the CMMC Interim Rule, which is framed by several DFARS clauses. First is clause 252.204-7019, which requires contractors to conduct a self-assessment of their compliance to NIST SP 800-171 and enter the results into the Supplier Performance Risk System (SPRS). The second is clause 252.204-7020 which requires the contractor to provide company access to government assessors and ensure applicable subcontractors have their current assessment posted in SPRS. Third is clause 252.204-7021 which requires the contractor to have the appropriate CMMC certification before award and maintain the required level for the contract duration.
Essentially, the first requirement is for a company to self-assess their compliance to the 110 requirements in NIST SP 800-171 and post the results. This is not an easy task, there are three scoring categories and 320 determination statements, with assessment objectives, that need to be evaluated. The reality is that all determination statements must be satisfied before a control can be complete. The obvious recommendation is a hard and honest assessment, knowing that the government expects companies to report as they improve their score. The scoring range is +110 to -204, and the FCA is hanging over this process like a sword. The caution here is not to inflate the score. A company officer must certify the submission of the score and the Plan of Action and Milestones (POAM) into SPRS.
False claims of assessments will result in inflated scores, which will not be difficult to find. In plain simple language, an incomplete assessment that does not consider the 320 determination statement assessment objectives is incorrect, at best incomplete, and most likely fraudulent.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.