In September 2020, DoD released its long-anticipated DFARS Interim Rule, which goes into effect November 30, 2020. The Interim Rule’s main objectives are to make clear that CMMC will serve as the new cybersecurity framework for DoD contracts and to instruct contractors that they must perform a self-assessment based on NIST 800-171 and report their score to the DoD. With these dual mandates, the Interim Rule looks to address defense companies’ security and compliance gaps, and provide an onramp for the rollout of CMMC.
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 will be impacted by the requirements described in the Interim Ruling. Under that DFARS -7012 clause, defense contractors who handle CUI must adhere to NIST SP 800-171 cybersecurity controls. Contractors who only manage Commercial of the Shelf Materials (COTS) do not have to meet the requirements of the Interim Rule. The Interim Rule introduces three new clauses (7019,7020 and 7021) focused primarily on strengthening NIST SP 800-171’s self-assessment requirement and, likewise, smoothing the transition to CMMC.
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 will be impacted by the requirements described in the Interim Ruling.
The goal of this blog is to explain what contractors need to know about the Interim Rule’s scoring requirements and the responsibility Primes must take for their subcontractors’ cybersecurity standards. This blog will also look to clarify how preparation in these areas can enable a contractor to be ready for the eventual rollout of CMMC.
Self-Assessment and reporting requirements
The new DFARS clause -7019 requires that contractors bidding on new DoD contracts (or exercising options in their current contracts) not only continue to conduct self-assessments based on NIST 800-171 controls, but also requires that they report out the results of their self-assessment to the SPRS (Supplier Performance Risk System). Specifically:
- DoD’s NIST 800-171 Assessment Methodology must be adhered to and all contractors that handle CUI must perform at least a Basic level self-assessment.
- Self-assessments will be scored. Scoring starts at the lowest possible score of -203. One, three, or five points are earned for each control met, all the way up to the maximum of 110. Negative self-assessment scores are possible, as they can range from -203 to +110, a spread of 313 points.
- Self-assessment scores must be filed in the DoD’s SPRS by the time of contract award, and the self-assessment must be maintained for the duration of the contract.
- If their self-assessment score falls below 110, contractors are required to create a POAM and indicate by what date the security gaps will be remediated and a score of 110 will be achieved.
- Self-assessments must have been completed within the past three years.
Contractors should not delay in getting started with their self-assessment and in reporting their score accurately. Gaps, as noted, should be addressed by POAMS along with an indication of when they will be closed.
Primes’ and subcontractors’ responsibilities
The new DFARS clauses 7020 and 7021 build on and strengthen DFARS 7019. Specifically, DFARS 7020 requires:
- Contractors must provide the Government with access to its facilities, systems, and
personnel when it is necessary for DoD to conduct or renew a higher-level Aassessment
of its compliance with NIST SP 800-171.
- Prime contractors must flow down the NIST 800-171 self-assessment requirements and all others stipulated in DFARS 7019 and 7020 to all subcontracts handling CUI.
- Prime contractors must confirm that all subcontractors have the results of a current self-assessment filed in SPRS prior to award of a subcontract.
DFARS clause -7021 serves as the bridge from DFARS and NIST to the new CMMC framework and requires:
- All contractors—primes and subs—must achieve CMMC certification at the level specified in the contract by time of award. CMMC certification must be maintained at the appropriate level for the duration of the contract.
- In addition to clause -7020 requirements, prime contractors also must flow down clause -7021 to all subcontractors.
While the DFARS Interim Rule doesn’t specify minimum self-assessment scores that must be achieved, all companies wishing to do work for the DoD should know that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, it stands to reason that the DoD will consider that company to be a higher security risk than a competitor with a better self-assessment score.
Learn more about the DFARS Interim Rule and how PreVeil can help you quickly raise your SPRS score by 39 points. Download our whitepaper
Looking ahead, any Basic self-assessment score less than 110 also presents a business risk in that it triggers a POAM. Furthermore, a contract that necessitates CMMC Level 3 compliance will also mandate 20 additional requirements are met by the contractor. The DoD has stated that these CMMC requirements are expected to begin to appear in DoD contracts in early 2021 and be seen with increasing frequency thereafter.
How PreVeil can help you raise your self-assessment score
PreVeil’s end-to-end encrypted Drive and Email offerings support compliance with DFARS 252.204-7012 and NIST 800-171 (as well as ITAR and virtually all of the CMMC Level 2 mandates related to the communication and storage of CUI). And because PreVeil deploys in a matter of hours, it can help your company quickly raise its newly-required self-assessment score as well as get you on the path to CMMC Level 2 compliance.
Furthermore, PreVeil is cost effective. It need be deployed only to employees handling CUI, whereas alternatives require deployment across entire companies. And PreVeil’s straightforward, light-touch solutions help avoid expensive DFARS, NIST and CMMC consultant engagements, which are par for the course for some alternatives.
Get started now
The DFARS Interim Rule raises the stakes across the entire Defense Industrial Base. And while there is a comment period for the Interim Rule, contractors should not expect the final rule to vary significantly from the current version. Rather, minor clarifications are far more likely, as the rule has been years in the making.
Therefore, companies throughout the DoD supply chain must take action now—and not wait until the new DFAR requirements appear in a contract. Keep in mind, too, that the first ‘M’ in CMMC stands for “Maturity”. In practice, that means that companies will need to demonstrate that they’ve been in compliance with CMMC’s controls for some time—at least 3-6 months—prior to becoming certified.
Companies should start by familiarizing themselves with the DoD’s NIST 800-171 Assessment Methodology, which in reality isn’t new at all, but has not been widely executed until now. New DFARS clause -7019 offers a detailed walk-through for performing and reporting a Basic level self-assessment. The self-assessment will reveal your security and compliance gaps, which you’ll need to begin to address.
To learn more about how PreVeil can quickly and easily raise your SPRS score by nearly 40 points, download our DFARS whitepaper.