The DFARS Interim Rule: What you need to know
In September 2020, DoD released its long-anticipated DFARS Interim Rule, which goes into effect November 30, 2020. The Interim Rule’s main objectives are to solidify that CMMC will be the new framework for DoD contracts and to instruct contractors that they must perform and report a self-assessment score based on NIST 800-171. With these dual mandates, the Interim Rule looks to address defense companies’ security and compliance gaps, and provide an onramp for the rollout of CMMC..
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 will be impacted by the requirements described in the Interim Ruling. Under that DFARS -7012 clause, defense contractors who handle CUI must adhere to NIST SP 800-171 cybersecurity controls. The Interim Rule introduces three new clauses (7019,7020 and 7021) focused primarily on strengthening NIST SP 800-171’s self-assessment requirement and, likewise, smoothing the transition to CMMC.
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 will be impacted by the requirements described in the Interim Ruling.
The goal of this blog is to explain what contractors need to know about the Interim Rule’s scoring requirements and the responsibility Primes must take for their subcontractors’ cybersecurity standards. This blog will also look to clarify how preparation in these areas can enable a contractor to be ready for the eventual rollout of CMMC.
Self-Assessment and reporting requirements
The new DFARS clause -7019 requires that contractors bidding on new DoD contracts (or exercising options in their current contracts) not only continue to conduct self-assessments based on NIST 800-171 controls, but also requires that they report out the results of their self-assessment to the SPRS. Specifically:
- DoD’s NIST 800-171 Assessment Methodology must be adhered to and all contractors must perform a Basic level self-assessment.
- Self-assessments will be scored. Scoring starts at a maximum score of 110, based on the 110 NIST SP 800-171 controls. Points will be subtracted for each control not yet implemented.
- Because the DoD’s Assessment Methodology assigns more than one point to some requirements, a negative score is possible.
- Self-assessment scores must be filed in the DoD’s Supplier Performance Risk System (SPRS) by the time of contract award, and the self-assessment must be maintained for the duration of the contract.
- If their self-assessment score falls below 110, contractors are required to create a POAM and indicate by what date the security gaps will be remediated and a score of 110 will be achieved.
- Self-assessments must have been completed within the past three years.
Contractors should not delay in getting started with their self-assessment and in reporting their score accurately. Gaps, as noted, should be addressed by POAMS along with an indication of when they will be met. POAMS however will not be allowed under CMMC so it is important to fix these gaps with the proper security measures.
Primes’ and subcontractors’ responsibilities
Prime contractors must flow down self-assessment requirements to their subcontractors that handle CUI. Specifically:
- Prime contractors must include the NIST 800-171 self-assessment requirements stipulated in new DFARS clause -7020 in all applicable subcontracts.
- Subcontractors must have the results of a current self-assessment filed in SPRS, and contractors must confirm with the subcontractor that this requirement has been met prior to award of a subcontract.
New DFARS clause -7021 serves as the bridge from DFARS and NIST to the new CMMC framework and requires:
- All contractors—primes and subs—must achieve CMMC certification at the level specified in the contract by time of award. CMMC certification must be maintained at the appropriate level for the duration of the contract.
- In addition to clause -7020 requirements, prime contractors also must flow down clause -7021 to all subcontractors.
While the DFARS Interim Rule doesn’t specify minimum self-assessment scores that must be achieved, all companies wishing to do work for the DoD should know that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, it stands to reason that the DoD will consider that company to be a higher security risk than a competitor with a better self-assessment score.
Looking ahead, any Basic self-assessment score less than 110 also presents a business risk in that it triggers a POAM, which will not be permissible under CMMC. A contract that necessitates CMMC Level 3 compliance will also mandate 20 additional requirements. The DoD has stated that these CMMC requirements are expected to begin to appear in DoD contracts in early 2021 and be seen with increasing frequency thereafter.
How PreVeil can help you raise your self-assessment score now
PreVeil’s end-to-end encrypted Drive and Email offerings support compliance with DFARS 252.204-7012 and NIST 800-171 (as well as ITAR and virtually all of the CMMC Level 3 mandates related to the communication and storage of CUI). And because PreVeil deploys in a matter of hours, it can help your company quickly raise its newly-required self-assessment score as well as get you on the path to CMMC Level 3 compliance.
Furthermore, PreVeil is cost effective. It need be deployed only to employees handling CUI, whereas alternatives require deployment across entire companies. And PreVeil’s straightforward, light-touch solutions help avoid expensive DFARS, NIST and CMMC consultant engagements, which are par for the course for some alternatives.
Get started now
The DFARS Interim Rule raises the stakes across the entire Defense Industrial Base. And while there is a comment period for the Interim Rule, contractors should not expect the final rule to vary significantly from the current version. Rather, minor clarifications are far more likely, as the rule has been years in the making.
Therefore, companies throughout the DoD supply chain must take action now—and not wait until the new DFAR requirements appear in a contract. Keep in mind, too, that the first ‘M’ in CMMC stands for “Maturity”. In practice, that means that companies will need to demonstrate that they’ve been in compliance with CMMC’s controls for some time—at least 3-6 months—prior to becoming certified.
Companies should start by familiarizing themselves with the DoD’s NIST 800-171 Assessment Methodology, which in reality isn’t new at all, but has not been widely executed until now. New DFARS clause -7019 offers a detailed walk-through for performing and reporting a Basic level self-assessment. The self-assessment will reveal your security and compliance gaps, which you’ll need to begin to address.
To learn more about how PreVeil’s Email and File Sharing platforms can help you close those security and compliance gaps and help you raise your NIST 800-171 self-assessment score, contact us
The post The DFARS Interim Rule: What you need to know appeared first on PreVeil.
*** This is a Security Bloggers Network syndicated blog from Blog – PreVeil authored by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/the-dfars-interim-rule-what-you-need-to-know/