What DoD Contractors Need to Know About the 32 CFR CMMC Proposed Rule and Its Effect on Vendors
Looking back, December 2023 was a big month for the Department of Defense (DoD), as they released the both memorandum titled Federal Risk and Authorization Management Program (FedRAMP) Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings, as well as the 32 CFR Part 170 - Cybersecurity Maturity Model Certification (CMMC) Proposed Rule.
Together, these publications provided significant clarifications for those in the Defense Industrial Base (DIB) that currently have a DFARS 252-204-7012 clause in their contracts with the DoD (or those that may have interest in doing business with the DoD in the future). But to understand the complete implications, each document must be broken down separately, and as leading providers of FedRAMP assessments and the first firm of our kind to become an authorized CMMC Certified Third Party Assessment Organization (C3PAO), we are in a position to help you do this.
In this blog post, we’ll first describe the requirements of the relevant DFARS Clause 252.204-7012 before we get into the additional context and expectations for DoD contractors laid out in the 32 CFR CMMC Proposed Rule, as well as how it all trickles down to their external service providers (ESPs), including Cloud Service Providers (CSPs) and Managed Service Providers (MSPs).
To learn more about the details within the FedRAMP memo regarding Moderate equivalency, check our separate blog—after reading both breakdowns, you should understand more about your paths forward with these evolving federal regulations and standards.
What is DFARS Clause 252.204-7012?
Created in 2013, the DFARS 252.204-7012 clause dictates cybersecurity requirements to ensure that contractors of the DoD are protecting Covered Defense Information (CDI)—more commonly referred to as Controlled Unclassified Information (CUI).
Per the clause, DoD contractors must—among other things:
- Implement the 110 controls outlined in NIST SP 800-171, “Protecting CUI in Nonfederal Information Systems and Organizations.”
* Contractors must also comply with other DFARS 252.204-7012 requirements for protection against malicious software, media preservation and protection, access to the equipment necessary for forensic analysis, and cyber incident damage assessment.
- Perform a self-assessment of that implementation and enter their scores in the DoD’s Supplier Performance Risk System (SPRS) in accordance with DFARS clause 252.204-7019.
- Report cyber incidents that affect CUI or that impact the contractor’s capacity to perform requirements to the Department of Defense Cyber Crimes Center (DC3)—that may also mean:
- Sharing cyber incident data requested by DC3;
- Retaining said data; and
- Complying with any subsequent investigations that may occur.
It’s not just contractors that must comply with these requirements, which also contains language referring to what’s called “‘flowdown”—i.e., a mandate that contractors include the DFARS 252.204-7012 clause in all related subcontracts ensuring that if a subcontractor does not agree to comply then they shall not be in possession of CUI as an assurance of the above protections.
Also embedded within that same clause are legal clarifications and obligations regarding where the CUI—within contractor systems or those of compliant subcontractors—may be stored, processed, or transmitted, as well as the possibility of a contractor employing the services of a Cloud Service Provider (CSP).
On the latter, the clause specifically says:
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.”
ESPs vs. MSPs vs. CSPs in the 32 CFR CMMC Proposed Rule
While it is not yet final, the DoD CIO released the CMMC Proposed Rule in December 2023, which contained additional context and expectations for DoD contractors.
Among the biggest and most important clarifications was the confirmation of the applicability of DFARS 252.204-7012 as well as the requirement for Cloud Service Providers (CSPs) to comply with the FedRAMP Moderate equivalency standard (as we mentioned earlier, you can read more about this in our separate blog).
Aside from that enormous development, the Proposed Rule also redefined CSPs to separate them from what the DoD is now calling External Service Providers (ESP)—a new distinction that will be important to any Organizations Seeking (CMMC) Certification in the future.
What is a CMMC External Service Provider (ESP)?
As defined by the Proposed Rule, an ESP is a third-party organization that provides services in support of a DIB member’s services or contract performance. More specifically, the Proposed Rule states:
“CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
Given this definition, the type of services provided by an ESP can vary widely, but they are commonly responsible for handling specific tasks or functions such as active administration of incident response, managed IT services, and consultancy—all of which may not necessarily involve cloud technologies.
What is a CMMC Managed Service Provider (MSP) or Managed Security Service Provider (MSSP)?
Rather, they could be an MSP or MSSP—these are a specific type of ESP that offers cybersecurity services, such as monitoring and management of systems. While their specific type of service among MSPs/MSSPs could vary greatly, they are commonly responsible for:
- Monitoring of a boundary or enclave
- Management of system components
- Data and system access control
In simpler terms, an MSP or MSSP may perform the above (or other services) within an environment that is under the direct control of a DIB member or may have their own assets collecting and managing data on behalf of the DIB member in accordance with their agreement.
What is a CMMC Cloud Service Provider (CSP)?
CSPs also fall under the CMMC ESP umbrella, although they are defined as providers offering cloud-based services such as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). More specifically—according to NIST SP 800-145—a service must exhibit the following five essential characteristics to qualify as a cloud computing service:
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service
In simpler terms, a cloud service is commonly delivered over the internet, allowing users to access, store, and manage applications and compute resources without needing local infrastructure.
An Important Caveat About Determining the Category of Your Providers: As an assessment organization for both FedRAMP and CMMC, we frequently field questions from our customers related to whether they fall under the Proposed Rule definitions, and while these definitions are meant to help you discern that, it typically requires further discussion with a CMMC C3PAO and/or FedRAMP Third Party Assessment Organization (3PAO) to address the nuances that come with each type of service provider (and possible overlaps). |
Assessment Implications of the 32 CFR CMMC Proposed Rule
Why is this new separation of external provider type important? Because depending on what type of provider you—as an Organization Seeking Certification (OSC)—employ, your vendors will also need to meet certain compliance requirements, because if they don’t, the outcome of your requisite CMMC assessment may be negatively affected.
Here are specific details on how those requirements shake out for OSCs and their (non-CSP) ESPs:
- If the OSC utilizes an ESP other than a CSP—e.g., an MSP/MSSP where that MSP/MSSP does handle CUI or Security Protection Data (SPD) as part of their services—that ESP will be required to pursue the relevant CMMC certification type for the processing, storage, or transmission of CUI or SPD at Level 2 or Level 3. (Their certification level will be determined by the sensitivity of the data they handle and/or the type of government contracts they support.)
Note that if an MSP/MSSP provides a cloud service offering and is handling CUI or SPD as part of that offering, the MSP/MSSP would fall in the CSP category defined above and whose requirements are noted in the next section.
- If the ESP is internal to the OSC but outside the OSC’s CMMC certification boundary, the security requirements implemented by the ESP should be listed in the OSC’s System Security Plan (SSP) as well as details regarding the ESP’s connection to the OSC’s in-scope environment.
- Organizations Seeking Assessment (OSA) that are self-assessing at Level 1 should also be prepared to identify potential ESPs and how their assets or personnel handle Federal Contract Information (FCI).
Here are the assessment implications for OSCs and their CSPs:
- If an OSC is attempting to obtain a CMMC Level 2 or Level 3 certification and intends to use a Cloud Service Offering (CSO) for handling CUI or SPD, then the CSP’s CSO will be required to either:
- Obtain a FedRAMP Authorization at the Moderate baseline (or higher); or
- Work with a FedRAMP 3PAO to perform a FedRAMP Moderate equivalency assessment and present the results to their OSC as evidence to ensure their CUI or SPD is stored, processed, or transmitted in accordance with the standard set forth in the CMMC Proposed Rule, which will be evaluated as part of the OSC’s CMMC certification assessment.
- If an OSA is using a CSP for Level 2 Self-Assessment, see § 170.16(c)(2) in the CMMC Proposed Rule.
Moving Forward with CMMC and the New FedRAMP Moderate Equivalency
Understanding the requirements and expectations outlined in DFARS 252.204-7012 and the new context within the CMMC Proposed Rule—not to mention the also highly relevant FedRAMP Moderate Equivalency memorandum—is certainly no easy feat.
While DIB organizations navigate the applicability of these requirements, it will be important to focus on the capabilities of their external services, how these services are provided to the DIB, and whether or not those external services handle FCI/CUI/SPD, as this will ultimately determine the applicability of CMMC or FedRAMP.
Though this blog hopefully provides a helpful head start, we know you likely still have questions about these complexities, and as a leading FedRAMP 3PAO and CMMC C3PAO, our experience in this space could be of help. Contact our team today so that we can help you find the right assessment roadmap for your organization.
About Tim Walsh
Tim Walsh is a Manager in Schellman's Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Prior to joining Schellman in 2019, Tim worked as a Systems Engineer for a Defense Contractor specializing in the design of physical security systems for Naval installations across the United States. Tim also led and supported various other projects, including software development of an inventory and logistics program used in support of Naval vessels as well as participating in Internal Research & Development (IRAD) of critical operations.