The Department of Defense (DoD) has updated guidance that it will cement clauses 7019 and 7020 of its November 2020 Interim DFARS Rule into a Final Rule in December 2022. The DFARS Interim Rule—currently in effect—aims to strengthen NIST SP 800-171 compliance and requires that all defense contractors that handle CUI (Controlled Unclassified Information) and are subject to DFARS 252.204-7012 not only conduct a NIST SP 800-171 self-assessment, but also report their score to the DoD’s SPRS (Supplier Performance Risk System).

The Interim Rule also requires defense contractors to provide DoD access to its facilities, systems, and personnel as necessary to enable DoD to conduct or renew a higher-level assessment of NIST SP 800-171 compliance. In other words, contractors must allow a DoD review of compliance that dives deeper than the contractor’s own self-assessment.

The DoD is clearly signaling its intent to enforce defense contractors’ compliance with NIST SP 800-171 under existing DFARS regulations. DoD also has indicated that CMMC is scheduled to become an Interim Rule in March 2023. Since both DFARS and CMMC require contractors to comply with the same NIST SP 800-171 framework, increased enforcement means that your organization needs to act now to protect its CUI and comply with NIST SP 800-171 and related DoD mandates.

This blog explains what defense contractors need to do now to meet DoD cybersecurity mandates and maintain their competitive position in the DIB. Inaction poses a serious risk to the ongoing viability of your DoD-related business, as described below.

The December 2022 Final DFARS Rule means significant business risk for defense contractors that fail to take action

Cyber threats have become one of the most important strategic threats facing the United States. In response, the DoD is urgently ramping up enforcement of its cybersecurity regulations to protect the DIB’s vast attack surface. DoD’s Final Rule action in December 2022 is one part of this effort. The issuance of a Final Rule will mean more DoD assessments (aka audits) of NIST SP 800-171 compliance throughout the DIB. More importantly, it provides the DoD and prime contractors with a single, objective metric—the SPRS score—to assess the cybersecurity posture of a contractor.

Lack of an SPRS score is a red flag and jeopardizes your organization’s eligibility to keep existing DoD contracts and win new ones. Some prime contractors already have begun to formally request relevant cybersecurity information from their subcontractors. If you’re a subcontractor, know that primes are increasingly wary of the risk of working with any subcontractor not in compliance with DoD cybersecurity mandates—and will quickly turn to those that are.

The November 2020 DFARS Interim Rule also requires primes to take responsibility for the security of their supply chains. And with the SPRS score requirement, primes now have a metric to easily compare the cyber maturity of competing subcontractors. Note too that organizations that misrepresent their cybersecurity levels are subject to penalties levied by the DoD and/or the Department of Justice, which launched a robust Civil Cyber-Fraud Initiative last year.

What defense contractors need to do now

DoD’s recent activities around enhancing the DIB’s cybersecurity send a loud and clear message. The best move you can make to safeguard the long-term viability of your business is to start now to:

  • Raise your organization’s cybersecurity levels and comply with NIST SP 800-171.
  • Get your SSP (System Security Plan), POA&M (Plan of Actions & Milestones), and other required documentation in order. Note that the SSP and POA&M are the key documents your organization needs to support its required NIST SP 800-171 self-assessment
  • Conduct an unbiased NIST SP 800-171 self-assessment and submit your score to the DoD’s SPRS. Accurately represent your NIST SP 800-171 compliance level (aka your SPRS score) and be prepared for primes to ask for that SPRS score

Understand, too, that the security controls for CMMC Level 2 (the level that contractors that handle CUI will need to achieve) will be in alignment with the 110 security controls of NIST SP 800-171. That means that all effort devoted now to compliance with NIST SP 800-171 will help your organization more readily achieve CMMC Level 2. Federal rulemaking action to implement the CMMC framework is expected in March 2023. To keep a seat at the table for DoD contracts, your organization should be well on its way to full compliance with NIST SP 800-171 by then.

In closing

The Department of Defense (DoD) has been ramping up enforcement of defense contractors’ compliance with NIST SP 800-171 by conducting hundreds of random reviews of how well contractors’ self-assessment scores submitted to the DoD’s SPRS match reality. The issuance of the Final DFARS Rule in December 2022 is expected to lead to a jump in those random audits and enforcement of NIST SP 800-171. Prime contractors, too, increasingly are expecting their subcontractors to be in compliance. If you’re a small- to mid-size company aiming to continue to do business in the DIB, you need to avoid being seen as a weak link in the supply chain.

Fortunately, technology solutions are available to help your organization minimize its business risks and reduce the costs and complexity of complying with DoD cybersecurity mandates.

About PreVeil

PreVeil is a state-of-the-art encrypted file sharing and email platform that offers uncompromised security for storing and sharing CUI. Organizations can easily add PreVeil to their existing IT environments (including Microsoft 365 Commercial), dramatically reducing the time and expense required to achieve compliance.

Read PreVeil’s briefs: