The Interim DFARS Rule and What It Means for You
The Cybersecurity Maturity Model Certification (CMMC) became part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020 and was updated to CMMC 2.0 in November 2021. This decision impacted over 300,000 defense industrial base (DIB) members, creating confusion about CMMC’s implications on current and future government contracts.
The situation became more complex with the introduction of the Interim DFARS Rule (DFARS Case 2019-D041) on November 30, 2020. This rule mandates that all defense contractors perform cybersecurity self-assessments using the NIST CSF (SP) 800-171 DOD Assessment Methodology to qualify for new defense contracts and renewals.
Let’s break down the Interim DFARS Rule and its impact on you as a DIB member. We’ll discuss the changes in the rule, what it requires contractors to do, and the next steps you should take.
What Changed in the Interim DFARS Rule?
The DOD has long emphasized the need for defense contractors to follow the 110 cybersecurity controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, commonly known as “800-171.”
Before CMMC, DFARS required most defense contractors to attest that they followed all 800-171 controls. However, many non-compliant contractors and sporadic government audits led to leaks of controlled unclassified information (CUI).
To counter potential security threats, the Interim DFARS Rule requires contractors to complete self-assessments and formally score their 800-171 compliance status using a specific scoring system developed by the DOD. Contractors must then upload their self-assessment scores to the federal Supplier Performance Risk System (SPRS) database to qualify for new contracts and renewals.
Self-Assessment and the Scoring Matrix
During self-assessment, contractors rate themselves based on the implementation of each of the 110 NIST (SP) 800-171 cybersecurity controls. The CMMC requires DOD contractors to conduct these self-assessments every three years unless changes necessitate more frequent assessments. Since contractors are subject to DOD and prime contractor audits at any time, maintaining cybersecurity controls and having recent documentation is critical.
The assessment scoring starts with a perfect score of 110 for each NIST 800-171 control. Points are subtracted for non-implementation of controls, with each control holding a weighted point value ranging from one to five based on its significance.
No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption. Although NIST does not prioritize security requirements, it acknowledges that some controls have a higher impact on network security.
Key Points for Self-Assessment
- Plan of Action and Milestones (POA&M): If you don’t achieve a perfect score of 110 points, create a POA&M document outlining how deficiencies will be addressed and remediated. Update your score once shortcomings are resolved.
- System Security Plan (SSP): Develop an SSP detailing implemented NIST 800-171 controls, including operational procedures, organizational policies, and technical components.
- Audit Readiness: SSPs and POA&Ms are not uploaded to the federal database but must be available for audit.
- Score Submission: Submit your score to the governmental SPRS database within 30 days of completing the self-assessment.
Get Assessment-Ready Now!
To qualify for new contracts and renewals while CMMC is being rolled out, start conducting thorough and accurate self-assessments and fulfill today’s cybersecurity requirements. This ensures compliance with the Interim DFARS Rule and prepares you for future CMMC developments.
Navigating CMMC complexities can be overwhelming. Partnering with an experienced team like ours can ease the pressure. Contact us today to get our security experts in your corner.