The Defense Contract Management Agency will give contractors the opportunity to make updates on their compliance with NIST Special Publication 800-171 in the Pentagon's Supplier Performance Risk System, according to agency leader John Ellis.
Contractors who handle controlled unclassified information will be required to submit a basic assessment of their compliance with 110 controls in the National Institute of Standards and Technology publication starting on Nov. 30 for new contracts. The requirement is part of an interim rule that will implement the Pentagon's Cybersecurity Maturity Model Certification program over the next five years.
Ellis is the director of DCMA's software division and he leads the agency's Defense Industrial Base Cybersecurity Assessment Center, which has been conducting voluntary assessments of contractors based on NIST 800-171 for over a year.
The scores can be updated "as often as you want," Ellis said Tuesday at an event hosted by Celerium. However, Ellis cautioned contractors against updating their scores too often because the "history" of all reported scores will be available to DOD acquisition officials.
The rule dictates that DCMA will be responsible for conducting Medium and High assessments for compliance with NIST 800-171. Ellis said there are currently 40 assessors working at the DIBCAC and DCMA is training officials at the services and Fourth Estate to conduct assessments in conjunction with the DCMA.
For Medium assessments, Ellis said his agency has developed a way to conduct the assessments via "phone call or teleconference" using collaboration tools, which "takes a day or two to get through." DCMA has been doing the majority of the work on its High assessments virtually, but it does require a site visit to do a "physical closeout" and address some of the NIST 800-171 controls onsite, Ellis said.
"We are just getting to the point where we can do physical closeouts on those partial virtual assessments that were done previously," Ellis said. The planning for the High assessment starts 30 to 45 days in advance, Ellis said, and the length of time to prepare and complete the assessment "depends on where we are in the planning cycle with a particular company."
DCMA gives the assessment score onsite, Ellis said, and the agency provides a 30-day period for the close-out of the assessment where a contractor can submit a plan of action and milestones (POA&M) that explains how they will address issues.
Ellis said DCMA will follow up on the POA&Ms because the assessment is "not intended to be a one-and-done" score. Only DOD has the ability to update contractor scores in SPRS for Medium and High assessments to reflect updates contractors have made.
DCMA assessments are mainly focused on the prime contractors, but the agency also checks for evidence of "mechanisms" in place for "flow-down requirements" between the prime and their subs, Ellis said.
"At the end of the day if there is an issue, we will hold the prime accountable for what happens during the conduct of their contract," Ellis said. "We are not going to hold their suppliers accountable because that is a relationship between the supplier and the prime. From a government perspective, we hold the primes accountable for managing who they share information with and how they go about managing that."
Primes do not have access to the information that DOD officials can see in SPRS on the NIST 800-171 assessments. Ellis said he hopes primes will start asking their subs for copies of their self assessments, which he describes as a "nice way to ensure consistency of documentation between primes and suppliers."