In September 2020, DoD released its long-anticipated DFARS Interim Rule, which goes into effect November 30, 2020. The Interim Rule’s main objectives are to make clear that CMMC will serve as the new cybersecurity framework for DoD contracts and to instruct contractors that they must perform a self-assessment based on NIST 800-171 and report their score to the DoD. With these dual mandates, the Interim Rule looks to address defense companies’ security and compliance gaps, and provide an onramp for the rollout of CMMC.
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 will be impacted by the requirements described in the Interim Ruling. Under that DFARS -7012 clause, defense contractors who handle CUI must adhere to NIST SP 800-171 cybersecurity controls. The Interim Rule introduces three new clauses (7019,7020 and 7021) focused primarily on strengthening NIST SP 800-171’s self-assessment requirement and, likewise, smoothing the transition to CMMC.
The goal of this blog is to explain what contractors need to know about the Interim Rule’s scoring requirements and the responsibility Primes must take for their subcontractors’ cybersecurity standards. This blog will also look to clarify how preparation in these areas can enable a contractor to be ready for the eventual rollout of CMMC.
The new DFARS clause -7019 requires that contractors bidding on new DoD contracts (or exercising options in their current contracts) not only continue to conduct self-assessments based on NIST 800-171 controls, but also requires that they report out the results of their self-assessment to the SPRS (Supplier Performance Risk System). Specifically:
Contractors should not delay in getting started with their self-assessment and in reporting their score accurately. Gaps, as noted, should be addressed by POAMS along with an indication of when they will be closed. POAMS however will not be allowed under CMMC and so it is important to fix these gaps with the proper security measures.
Prime contractors must flow down self-assessment requirements to their subcontractors that handle CUI. Specifically:
While the DFARS Interim Rule doesn’t specify minimum self-assessment scores that must be achieved, all companies wishing to do work for the DoD should know that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, it stands to reason that the DoD will consider that company to be a higher security risk than a competitor with a better self-assessment score.
Learn more about the DFARS Interim Rule and how PreVeil can help you quickly raise your SPRS score by 39 points. Download our whitepaper
Looking ahead, any Basic self-assessment score less than 110 also presents a business risk in that it triggers a POAM, which will not be permissible under CMMC. Furthermore, a contract that necessitates CMMC Level 3 compliance will also mandate 20 additional requirements are met by the contractor. The DoD has stated that these CMMC requirements are expected to begin to appear in DoD contracts in early 2021 and be seen with increasing frequency thereafter.
PreVeil’s end-to-end encrypted Drive and Email offerings support compliance with DFARS 252.204-7012 and NIST 800-171 (as well as ITAR and virtually all of the CMMC Level 3 mandates related to the communication and storage of CUI). And because PreVeil deploys in a matter of hours, it can help your company quickly raise its newly-required self-assessment score as well as get you on the path to CMMC Level 3 compliance.
Furthermore, PreVeil is cost effective. It need be deployed only to employees handling CUI, whereas alternatives require deployment across entire companies. And PreVeil’s straightforward, light-touch solutions help avoid expensive DFARS, NIST and CMMC consultant engagements, which are par for the course for some alternatives.
The DFARS Interim Rule raises the stakes across the entire Defense Industrial Base. And while there is a comment period for the Interim Rule, contractors should not expect the final rule to vary significantly from the current version. Rather, minor clarifications are far more likely, as the rule has been years in the making.
Therefore, companies throughout the DoD supply chain must take action now—and not wait until the new DFAR requirements appear in a contract. Keep in mind, too, that the first ‘M’ in CMMC stands for “Maturity”. In practice, that means that companies will need to demonstrate that they’ve been in compliance with CMMC’s controls for some time—at least 3-6 months—prior to becoming certified.
Companies should start by familiarizing themselves with the DoD’s NIST 800-171 Assessment Methodology, which in reality isn’t new at all, but has not been widely executed until now. New DFARS clause -7019 offers a detailed walk-through for performing and reporting a Basic level self-assessment. The self-assessment will reveal your security and compliance gaps, which you’ll need to begin to address.
To learn more about how PreVeil can quickly and easily raise your SPRS score by nearly 40 points, download our DFARS whitepaper.