Just released, the Defense Federal Acquisition Regulation Supplement (DFARS) interim rule has been issued to assess contractor implementation of cybersecurity requirements. And you must know these details!
The Department of Defense (DoD) is facing increasingly complex cyber threats coming from state and non-state actors seeking to disrupt its operations and gain access to sensitive information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Unfortunately, most previous efforts to improve the cybersecurity posture of the DoD have largely failed to deliver the desired results, including the DFARS clause 252.204-7012, which requires contractors to implement NIST SP 800-171 to safeguard covered defense information that is processed or stored on their internal information system or network.
To improve cybersecurity across the entire Defense Industrial Base (DIB), the DoD issued, on September 29, an Interim Rule, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology, which would make it possible to reliably assess the implementation of NIST SP 800-171. Read the full rule details here
What Is the DFARS Interim Rule?
The DFARS Interim Rule assesses contractor implementation of security requirements in NIST SP 800-171 and initiates the phased five-year rollout of the Cybersecurity Maturity Model Certification (CMMC) implementation, by creating the following new solicitation provision and contract clauses (none of them is retroactive for existing contracts):
• DFARS clause 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)
• DFARS clause 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
• DFARS clause 252.204-7021 (Cybersecurity Maturity Model Certification Requirements)
The common objective of these three clauses is to assess contractor implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, to guarantee that DIB contractors can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flowed down to subcontractors.
DFARS Interim Rule officially took effect on November 30, 2020.
DoD Assessment Methodology and CMMC
Before issuing the Interim Rule, DFARS clause 252.204-7012 required contractors handling CUI to merely perform a self-assessment on the 110 security controls of NIST SP 800-171.
The self-assessment approach left too much room for error and misinterpretation, whereas, the new NIST SP 800-171 DoD Assessment Methodology provides a new method for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements.
The results of the new assessment will be recorded in the newly implemented Supplier Performance Risk System (SPRS) and remain valid for three years.
Contractors can choose between three different assessment depths: Basic, Medium, and High.
Basic assessments are self-assessments completed by contractors, while Medium and High assessments are completed by the Government.
A perfect assessment score is 110, and points are deducted for missing NIST SP 800-171 controls. Contractors whose score falls below 110 are required to create a Plan of Action and Milestones (POAM), describing the current state of their network and their plan to achieve full compliance with all 110 NIST SP 800-171 controls.
The score-based assessments pave the way for the CMMC framework, which adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of one of five cybersecurity maturity levels.
How Should Contractors Address the DFARS Interim Rule?
The Interim Rule (DFARS clause 252.204-7019 and DFARS clause 252.204-7020) will be in all new contracts starting now and contractors should start addressing it immediately.
It’s important to note that the DoD will do risk-based assessments to determine which contractors it will award contracts to.
A contractor with a lower score will be seen as less secure and thus less likely awarded the contract. As such, contractors should do as much as they can to avoid submitting a poor score to the SPRS and, as a result, being forced to create a POAM.
Since the Interim Rule is unlikely to change significantly in the formation of a final rule, it’s a good idea to begin assessment preparations as soon as possible. Organizations can start by familiarizing themselves with the DoD’s NIST 800-171 Assessment Methodology and taking the steps necessary to address security and compliance gaps.
At OSIbeyond, we will help your organization improve your NIST SP 800-171 self-assessment score, by supporting your efforts to close security and compliance gaps. Contact us today for more information and we recommend every cybersecurity professional read this eBook to improve policies for your organization.
6 Critical Cybersecurity Policies Every Organization Must Have