The Interim DFARS Rule and What It Means for You

The Cybersecurity Maturity Model Certification (CMMC) became an official element of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020, and CMMC 2.0 was released in November 2021. The decision impacted more than 300,000 defense industrial base members (DIB) members, and many drowned themselves in unnecessary noise regarding CMMC and its implications for existing and future government contracts.

The pandemonium increased on November 30, 2020, when the Interim DFARS Rule (DFARS Case 2019-D041) joined the fray. This regulation requires all defense contractors to conduct cybersecurity self-assessments using the NIST CSF (SP) 800-171 DoD Assessment Methodology to be eligible for new defense contracts and renewals.

During all the deliberations and scrutiny, let’s attempt to comprehend the Interim DFARS Rule and its implications for you as a DIB member. In this blog post, we will discuss what has changed in the Interim DFARS Rule, what it requires contractors to do, and what your following actions should be in light of this latest Department of Defense (DoD) directive.

What changed in the Interim DFARS Rule?

This is not the first time the Department of Defense has emphasized the need for defense contractors to adhere to the 110 cybersecurity controls outlined in NIST Special Publication 800-171, commonly called “800-171.”

Even before CMMC was adopted, DFARS mandated that most defense contractors solely attest that they adhered to all 800-171 controls. However, numerous non-compliant contractors and periodic government audits led to the leakage of controlled unclassified information (CUI).

The Interim DFARS Rule requires contractors to conduct self-assessments and evaluate their 800-171 compliance status using a DoD-developed scoring system to combat potential security threats. To qualify for new contracts and renewals, the contractors must transmit their self-assessment scores to the federal Supplier Performance Risk System (SPRS) database.

Now that you know the most significant modifications to the Interim DFARS Rule, let’s discuss how the rule’s scoring works.

Self-assessment and the scoring matrix

During self-assessment, contractors must evaluate themselves based on implementing each of the 110 NIST (SP) 800-171 cybersecurity controls. The CMMC mandates that DoD contractors conduct these self-assessments every three years unless something changes. Contractors are subject to DoD and prime contractor audits at any time; therefore, it is essential to maintain cybersecurity controls and have recent documentation proving that everything has remained compliant and secure.

Each NIST 800-171 control begins with a perfect score of 110 on the assessment. Then, points are deducted for the absence of controls. Each control is assigned a weighted point value between one and five based on importance.

Except for multifactor authentication and FIPS-validated encryption, no credit is given for partially implemented controls. Although NIST does not prioritize security requirements, it does state that specific controls have a more significant impact on the security of a network.

Here are four points you must remember regarding self-evaluation:

• Suppose you still need to obtain a score of 110 points. In this case, you must establish a Plan of Action and Milestones (POA&M) document that outlines how the deficiencies will be remedied and failing items rectified. You may update your score once the defects have been addressed and remedied.

• As a contractor, you must also create a System Security Plan (SSP) that describes the NIST 800-171 controls you’ve implemented, including operational procedures, organizational policies, and technical components.

• SSPs and POA&Ms are not submitted to the federal database but must be accessible for auditing.

• Within 30 days of completing a self-assessment, you must submit your score to the government’s SPRS database.

Now that we’ve established your responsibilities, there’s no time to squander. Let’s discuss how we can assist.

Get assessment-ready now!

To be eligible for new contracts and contract renewals while CMMC is being carried out, you must begin preparing to conduct a comprehensive and accurate self-assessment and do whatever is necessary to meet current cybersecurity requirements. In this manner, you will comply with the Interim DFARS Rule and be prepared for any future CMMC-related developments. The complexities of CMMC can be difficult and overwhelming to navigate. Therefore, having an experienced partner like ourselves can help alleviate the burden. Contact us immediately to have our security specialists on your side.