The blog below is a summary of our whitepaper, DFARS Self-Assessment: Improving Cybersecurity and Raising Your Score. Go to the whitepaper landing page to access the full copy.
The Department of Defense’s long-anticipated DFARS Interim Rule went into effect in December 2020. The Interim Rule mandates that defense contractors not only perform a self-assessment based on NIST 800-171, but also report that score to the DoD. The Interim Rule also implicitly makes the new CMMC framework—to be implemented over the next several years—the law of the land.
All work done by primes and subcontractors subject to the DFARS 252.204-7012 clause now is also subject to the requirements described in the Interim Rule. That includes all defense contractors that handle CUI. Further, as CMMC is implemented, those contractors will need to achieve at least CMMC Level 3. The DoD has made it clear that if defense companies do not meet these prerequisites, they cannot be awarded contracts.
[P]rimes and subcontractors subject to the DFARS 252.204-7012 clause are now subject to the requirements described in the Interim Rule. if defense companies do not meet these prerequisites, they cannot be awarded contracts.
While the DFARS Interim Rule doesn’t specify minimum self-assessment scores that must be achieved, the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, it stands to reason that the DoD will consider that company to be a higher security risk than an alternative supplier with a better score. Likewise, primes will consider self-assessment scores when evaluating possible subcontractors with which to work, and it is reasonable to expect that subcontractors with higher scores are more likely to win the work.
Clearly, raising your company’s self-assessment score is crucial. Given its weight in both DFARS and CMMC, improving your protection of CUI can help you raise that self-assessment score quickly. CUI is typically shared in the form of email or files, and thus platforms that protect email and file sharing are key tools in achieving that goal. PreVeil’s encrypted Email and Drive services provide unrivaled security for protecting CUI using the gold standard of end-to-end encryption, which means that email and files are only ever encrypted and decrypted on a user’s device—and never on a server.
PreVeil’s solutions support compliance with DFARS, NIST 800-171, and CMMC Level 3 (as well as ITAR). This blog explains what you need to know about the DFARS Interim Rule’s self-assessment scoring and reporting requirements. The blog also references an appendix – available for download– which provides additional detail by listing each of NIST 800-171’s 110 controls and showing how PreVeil helps increase self-assessments by nearly 40 points. The blog concludes by explaining how PreVeil can help you quickly improve your level of cybersecurity—and significantly raise your self-assessment score—by protecting CUI. For the longer term, PreVeil’s solutions put your company on an accelerated path to achieving CMMC Level 3 and preserving your competitiveness in the DIB.
Download our DFARS whitepaper to learn how your defense contractor can quickly and easily raise its SPRS score by nearly 40 points.
DFARS Compliance Checklist
The DFARS Interim Rule requires that contractors bidding on new DoD contracts (or exercising options in their current contracts) not only continue to conduct self-assessments based on NIST 800-171 controls, but also report out the results of their self-assessment to the SPRS (Supplier Performance Risk System). Specifically:
- Contractors must create a System Security Plan (SSP) as a prerequisite for all further considerations.
- DoD’s NIST 800-171 Assessment Methodology must be adhered to and all contractors who handle CUI must perform at least a Basic level self-assessment.
- Self-assessments will be scored. Scoring starts at a maximum of 110, based on the 110 NIST 800-171 controls. Points will be subtracted for each control not yet implemented.
- Because the DoD’s Assessment Methodology assigns more than one point to some controls, a negative score is possible.
- Self-assessment scores will range from -203 to +110, a spread of 313 points.
- Self-assessment scores must be filed in the DoD’s SPRS by the time of contract award, and the self-assessment must be maintained for the duration of the contract.
- If their self-assessment score falls below 110, contractors are required to create a POAM and indicate to the DoD by what date the security gaps will be remediated and a score of 110 will be achieved.
- Self-assessments must have been completed within the past three years.
Contractors should not delay in getting started with their self-assessment, creating an SSP, and reporting their score. As noted, gaps should be addressed by POAMS, along with an indication of when they will be closed. However, POAMS will not be allowed under CMMC, and so it is important to fix these gaps with the appropriate technology or policies.
The Challenge: Score matters
While the DFARS Interim Rule doesn’t specify minimum self-assessment scores that must be achieved, all companies wishing to do work for the DoD should know that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, it stands to reason that the DoD will consider that company to be a higher security risk than a competitor with a better self-assessment score.
Looking ahead, any Basic self-assessment score less than 110 also presents a business risk in that it triggers a POAM, which will not be permissible under CMMC guidelines. Furthermore, a contract that necessitates CMMC Level 3 compliance will also mandate that contractors meet 20 additional requirements on top of NIST 800-171’s 110 controls. The DoD has stated that these CMMC requirements are expected to begin to appear in DoD contracts in early 2021 and will be seen with increasing frequency thereafter.
[A]ny Basic self-assessment score less than 110 also presents a business risk in that it triggers a POAM, which will not be permissible under CMMC guidelines
The challenge is to quickly improve your company’s cybersecurity controls—and thus its fundamental protection of CUI—and raise its self-assessment score so as to become a more competitive player in the Defense Industrial Base.
Raising the score: A case study
SysArc, an MSSP in the Washington, D.C. area, has helped more than 500 defense contractors navigate the complexities of DFARS, NIST 800-171, and CMMC compliance. SysArc recently conducted an analysis of its engagements during the past year and found that the typical small to midsize defense contractor—let’s call it Standard, Inc.—would have scored a -27 on its initial NIST 800-171 self-assessment done according to the DFARS Interim Rule’s scoring system. (Recall that negative scores are possible, given that scoring starts at 110, points are subtracted for controls not met, and more than one point is assigned to some controls.)
Appendix A (available for download) shows Standard Inc.’s self-assessment scorecard, which reflects the strengths and weaknesses of a typical small to midsize defense contractor. The scorecard makes clear that Standard, Inc. needs to improve its practices and processes for protecting and communicating CUI. The company has implemented basic cybersecurity controls—e.g., a firewall, patch system, and antivirus software—but little else. Standard, Inc. lacks MFA, encryption, and continuous monitoring of networks and, likewise, is struggling to adequately protect CUI.
One way for Standard, Inc.to rapidly effect improvements in the protection and communication of CUI, and quickly get on the path to CMMC compliance, is to install PreVeil’s end-to-end encrypted Drive and Email platform as a complement to its existing infrastructure. Upon doing so, Standard Inc. will immediately improve the protection of its sensitive data as well as its score in five domains as follows:
- Access Control (3.1) – gain 11 points
- Configuration Management (3.4) – gain 5 points
- Media Protection (3.8) – gain 1 point
- Physical Protection (3.10) – gain 1 point
- System and Communications Protection (3.13) – gain 21 points
TOTAL GAIN = 39 POINTS
Note that because self-assessment scores can range from -203 to +110, a range of 313 points, an increase of 39 points represents a gain of more than 12% in your company’s score.
The scorecard in Appendix A highlights the specific controls within these domains that PreVeil addresses and, likewise, how Standard Inc.’s score goes up 39 points, from -27 to +12.
Some consolation: A negative score on initial self-assessment is typical.
Based on SysArc’s analysis of its engagements during the past year, a score of -27 on a small to midsize defense contractor’s initial self-assessment is typical, as described above. Given these outcomes, it is not hard to understand why the Department of Defense is focusing on raising cybersecurity standards throughout the DIB.
Figure 1 shows the 313-point range of possible self-assessment scores, from -203 to +110, as well as the average score of -27 for SysArc’s typical small to midsize defense contractor clients. For reference, the midpoint of the 313-point range, a score of -46.5, is marked as well. The figure illustrates how implementation of PreVeil can quickly raise your score by 39 points—a significant jump given the scoring range—and increase your company’s competitiveness in winning defense contracts.
Figure 1: NIST 800-171 self-assessment scoring range and score for typical small to midsize defense contractors
Implementation of PreVeil increases score by 39 points
Figure 2 visualizes the results of nearly 50 recent self-assessments that SysArc has helped clients perform in recent months. All scores have been normed to a 100-point scale to show how close to achieving 100% of the required cybersecurity controls the organizations are. Note that a score of -46.5 – the midpoint of the self-assessment score range – would correspond to a wedge in the red zone. Standard Inc. with its score of -27 would similarly be a red wedge in this graphic. However, once Standard Inc. deployed PreVeil’s Email and Drive solution, the company would move solidly into the yellow zone.
It is important to note that nearly every one of the organizations in the green zone have worked their way there over time; that is, these results are not from initial self-assessments, but rather from several subsequent ones as the organizations implemented solutions to improve their scores.
Figure 2: Results of recent self-assessments completed by SysArc (normed to 100)
The PreVeil solution
PreVeil is an email and file sharing platform that provides unrivaled security for protecting CUI. All user data is secured using the gold standard of end-to-end encryption, which means that the information is only encrypted and decrypted on a user’s device—and never on a server. In addition, CUI cannot be accessed with stolen passwords, nor by using a compromised administrator’s credentials, because PreVeil uses automatically-generated cryptographic keys rather than passwords. An organization can also use PreVeil to restrict the flow of CUI to just its trusted partners and suppliers.
PreVeil Email: Video demonstration
PreVeil Drive and Email deploy easily as a complementary system, with no impact on existing file and email servers—making configuration and deployment simple and inexpensive. PreVeil is easy for users to adopt because it integrates with the tools they already use: PreVeil Drive’s file sharing works like OneDrive and is integrated with Windows File Explorer and Mac Finder. PreVeil Email works seamlessly with Outlook, Gmail, or Apple Mail clients.
PreVeil Drive: Video demonstration
PreVeil’s end-to-end encrypted Drive and Email solutions support compliance with DFARS 252.204-7012 and NIST 800-171 (as well as ITAR requirements and the CMMC Level 3 mandates related to the communication and storage of CUI). And because PreVeil deploys in a matter of hours, it’s an ideal way to immediately raise your company’s self-assessment score, as well as get you on the path to CMMC Level 3 compliance.
In addition to its ease of deployment and use, PreVeil is cost effective. It can be deployed only to employees handling CUI, whereas alternatives require deployment across entire companies. And PreVeil’s straightforward, light-touch solutions help avoid expensive DFARS, NIST and CMMC consultant engagements, which are par for the course for some alternatives.
By deploying PreVeil, Standard Inc. has improved its self-assessment score by 39 points. Without question, this gain represents significant progress in the company’s score, its protection of CUI, and its advancement towards CMMC compliance. This progress will go a long way toward distinguishing the company from others in the DIB. Contractors aiming to rapidly improve their protections of CUI and self-assessment score are advised to implement such solutions.
Get started now
The DFARS Interim Rule raises the stakes across the entire Defense Industrial Base. Companies throughout the DoD supply chain must take action now—and not wait until the new DFARS requirements appear in a contract. Keep in mind, too, that the first ‘M’ in CMMC stands for “Maturity”. In practice, that means that companies will need to demonstrate that they’ve institutionalized the practices of CMMC compliance for months prior to becoming certified.
Companies should start by familiarizing themselves with the DoD’s NIST 800-171 Assessment Methodology. The new DFARS clause -7019 offers a detailed walk-through for performing and reporting a Basic level self-assessment. The self-assessment will reveal your security and compliance gaps, which you’ll need to address to stay competitive and win defense contracts.
To learn more about how PreVeil’s encrypted email and file sharing platforms can help you easily close security and compliance gaps and quickly raise your NIST 800-171 self-assessment score, download our whitepaper.