December 17, 2020

Department of Defense Contracts: Preparing for Cybersecurity Requirements

Information about the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) requirements and when they impact DoD contracts at the UW.

When will Cybersecurity Maturity Model Certification be Required?

Beginning November 30, 2020, the DoD will incorporate requirements for  Cybersecurity Maturity Model Certification (CMMC)  into selected Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts. By October 1, 2025, all DoD contracts will require CMMC certification to Level 1, at a minimum.

How do I know if CMMC is required?

There are two things that mean CMMC is required for your project activity.

1. If your DoD contract includes any of these regulations:

• • DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting
  • DFARS 252.204-7019, ‘Notice of NIST SP 800-171 DoD Assessment Requirements
  • DFARS 252.204-7020, ‘NIST SP 800-171 DoD Assessment Requirements
  • DFARS 252.204-7021, ‘Cybersecurity Maturity Model Certification Requirements

AND

2. You will be handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

When CMMC applies, the security Level of your IT system environment used for the project must also be CERTIFIED in the DoD Supplier Risk Performance System (SPRS).

Unsure about the Level that applies to your project?

Consult with your DoD program contact at the agency sponsoring your project.

Steps Necessary to Meet DoD IT Security Requirements

Review the IT security requirements you may need to have in place:

• Level of IT security (1 low – 5 high) will be indicated within the Request for Proposal (RFP) or communicated by the Contracting Officer, if issuing a modification.

• At least a Level 1 Basic Cyber Hygiene IT environment will be required for projects handling Federal Contract Information (FCI).

• Meet with your IT and Department Administrator

• Determine if the current IT environment you plan to use for the project meets cyber security requirements imposed by DoD through your contract.
  • IT Administrator to review
  • Use general the UW Cybersecurity Maturity Model Certification (CMMC) information and templates provided by the Office of the Chief Information Security Officer (CISO)
  • Prepare a System Security Plan (SP)
  • If Level 1, use the CMMC Level 1 System Security Plan Template developed CISO
  • Identify gaps/deficiencies and document how these will be addressed in a Plan of Action & Milestones (POA&M) document

• Complete an Assessment
  • Self-assessment is acceptable for Level 1
  • Secure the assistance of a third party certified assessor< , if above Level 1
  • Self-assessment guidance provided by SPRS is available

• Register in the DoD Supplier Performance Risk System (SPRS)
  • Refer to the SPRS Quick Entry Guide
  • Use naming convention to link to UW’s Cage Code (1 HEX 5): UW-dept PI name
  •  According to DoD,  it can take 30 days for the Assessment to be registered in SPRS!

• Track any costs to implement – these are allowable costs you can charge to the award, if built into the Business portion of your DoD contract proposal

Responding to a new DoD Contract Solicitation?

At proposal submission stage:

• Prepare your eGC1
• Attach your Business and Technical proposal
• Include in your budget the costs to achieve IT security compliance and to complete the Assessment
  • Provide the back-up documentation on these costs
• Unable to complete your Assessment by the time of proposal, but intend to?
  • Use this language in your Business section of the proposal with your costing/pricing data explanation: “The Offeror intends to have the Level 1 Basic Assessment complete prior to issuance of the contract. Confirmation via the SPRS will be available prior to the anticipated proposed start date”.
  • Remember to include the costs in your estimates!