In September 2020, DoD released its long-anticipated DFARS Interim Rule, which goes into effect November 30, 2020. The Interim Rule’s main objectives are to solidify that CMMC will be the new framework for DoD contracts and to instruct contractors that they must perform and report a self-assessment score based on NIST 800-171. With these dual mandates, the Interim Rule looks to address defense companies’ security and compliance gaps, and provide an onramp for the rollout of CMMC..
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 will be impacted by the requirements described in the Interim Ruling. Under that DFARS -7012 clause, defense contractors who handle CUI must adhere to NIST SP 800-171 cybersecurity controls. The Interim Rule introduces three new clauses (7019,7020 and 7021) focused primarily on strengthening NIST SP 800-171’s self-assessment requirement and, likewise, smoothing the transition to CMMC.
The goal of this blog is to explain what contractors need to know about the Interim Rule’s scoring requirements and the responsibility Primes must take for their subcontractors’ cybersecurity standards. This blog will also look to clarify how preparation in these areas can enable a contractor to be ready for the eventual rollout of CMMC.
Self-Assessment and reporting requirements
The new DFARS clause -7019 requires that contractors bidding on new DoD contracts (or exercising options in their current contracts) not only continue to conduct self-assessments based on NIST 800-171 controls, but also requires that they report out the results of their self-assessment to the SPRS. Specifically:
Contractors should not delay in getting started with their self-assessment and in reporting their score accurately. Gaps, as noted, should be addressed by POAMS along with an indication of when they will be met. POAMS however will not be allowed under CMMC so it is important to fix these gaps with the proper security measures.
Primes’ and subcontractors’ responsibilities
Prime contractors must flow down self-assessment requirements to their subcontractors that handle CUI. Specifically:
While the DFARS Interim Rule doesn’t specify minimum self-assessment scores that must be achieved, all companies wishing to do work for the DoD should know that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, it stands to reason that the DoD will consider that company to be a higher security risk than a competitor with a better self-assessment score.
Looking ahead, any Basic self-assessment score less than 110 also presents a business risk in that it triggers a POAM, which will not be permissible under CMMC. A contract that necessitates CMMC Level 3 compliance will also mandate 20 additional requirements. The DoD has stated that these CMMC requirements are expected to begin to appear in DoD contracts in early 2021 and be seen with increasing frequency thereafter.
How PreVeil can help you raise your self-assessment score now
PreVeil’s end-to-end encrypted Drive and Email offerings support compliance with DFARS 252.204-7012 and NIST 800-171 (as well as ITAR and virtually all of the CMMC Level 3 mandates related to the communication and storage of CUI). And because PreVeil deploys in a matter of hours, it can help your company quickly raise its newly-required self-assessment score as well as get you on the path to CMMC Level 3 compliance.
Furthermore, PreVeil is cost effective. It need be deployed only to employees handling CUI, whereas alternatives require deployment across entire companies. And PreVeil’s straightforward, light-touch solutions help avoid expensive DFARS, NIST and CMMC consultant engagements, which are par for the course for some alternatives.
Get started now
The DFARS Interim Rule raises the stakes across the entire Defense Industrial Base. And while there is a comment period for the Interim Rule, contractors should not expect the final rule to vary significantly from the current version. Rather, minor clarifications are far more likely, as the rule has been years in the making.
Therefore, companies throughout the DoD supply chain must take action now—and not wait until the new DFAR requirements appear in a contract. Keep in mind, too, that the first ‘M’ in CMMC stands for “Maturity”. In practice, that means that companies will need to demonstrate that they’ve been in compliance with CMMC’s controls for some time—at least 3-6 months—prior to becoming certified.
Companies should start by familiarizing themselves with the DoD’s NIST 800-171 Assessment Methodology, which in reality isn’t new at all, but has not been widely executed until now. New DFARS clause -7019 offers a detailed walk-through for performing and reporting a Basic level self-assessment. The self-assessment will reveal your security and compliance gaps, which you’ll need to begin to address.
To learn more about how PreVeil’s Email and File Sharing platforms can help you close those security and compliance gaps and help you raise your NIST 800-171 self-assessment score, contact us
*** This is a Security Bloggers Network syndicated blog from Blog – PreVeil authored by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/the-dfars-interim-rule-what-you-need-to-know/