The Interim Rule has been put in place to help with the transition to CMMC. The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020.
This decision affected over 300,000 members of the defense industrial base (DIB). This sent the majority, mostly small and midsize businesses (SMBs), into a panic.
With the announcement came a lot of chatter regarding the CMMC and its much larger implications in terms of existing and future DoD contract qualifications.
To throw gas on the fire, at the end of November 2020, the DFARS Rule was introduced. This rule requires all defense contractors to conduct a self-assessment to determine the effectiveness of their cybersecurity.
To do this, one must use the NIST CSF (SP) 800-171 DoD Assessment Methodology.
In this article, we are going to try and quiet the noise surrounding the CMMC and help you understand the DFARS Interim Rule and how it will affect members of the DIB.
Below you will find the answer to what the Interim Rule has changed, its requirements for contractors, and your first step to compliance. Non-compliance can and will result in penalization by the DoD (Department of Defense)
What has the DFARS Interim Rule Changed?
The Department of Defense has highlighted the need for defense contractors to comply with the 110 cybersecurity controls that the National Institute of Standards and Technology (NIST) Special Publication 800-171 mandates.
DFARS has been in place prior to CMMC since November 2010. It has been requiring the majority of defense contractors/subcontractors to confirm with the 110 cybersecurity controls for the past 10 years
That being said, there were plenty of non-compliant contracts coupled with irregular audits that ended with Controlled, Unclassified Information (CUI) to be leaked from government contracts.
With CUI getting leaked from contracts even with DFARS in place, the DoD developed the Interim DFARS Rule to perform a self-assessment. Once done, the 800-171 self-assessment will be scored based on a system developed by the DoD.
Once contractors receive their score, they must upload it to the federal database, Supplier Performance Risk System (SPRS).
Self-Assessment & The Scoring Matrix
DoD contractors are required by the CMMC to conduct a self-assessment once every three years, at a minimum. Contractors must score themselves on the implementation of each of the 110 NIST (SP) 800-171 controls.
Each contractor starts the self-assessment with a score of 100%, based on each of the 110 NIST 800-171 controls. Points are subtracted (1-5 points based on control’s importance) from the total score for every control that has not been properly implemented.
Even though there was an attempt at implementing a certain control, no partial credit is given for partially or improperly implementing one of the 110 controls. The only exception to this rule is for Multi-factor Authentication & FIPS-Validated encryption.
NIST does not explicitly prioritize security requirements, but it does state that certain controls do impact a network’s security greater than others.
Three Things to Remember Concerning the Self-Assessment:
- If you receive less than 110 points on the self-assessment, you must generate a Plan of Action and Milestones (POA&M) document explaining how the partial or improper implementations will be addressed and remediated. You can update scores as and when the loopholes are addressed and remediated.
- As a contractor, you must also develop and submit a System Security Plan (SSP) with thorough details of implemented NIST 800-171 controls such as operational procedures, organizational policies, and technical components.
- Upon concluding the self-assessment, you must submit the results to the governmental SPRS database within 30 days.
Now that we have established all that you must do, there’s no time to waste. Here’s what you immediately need to do.
Get Assessment Ready Now!
The DoD’s timeline estimates that the CMMC will be fully implemented by 2026.
Even though this sounds like ample time to wait while the DoD works out every little detail, that is not the case.
Data-Tech is a leading IT Services firm in Tampa and a Registered Provider Organization with two Registered Practitioners.
It is critical that organizations get a jump start on the self-assessment and do whatever it takes to fulfill today’s cybersecurity requirements.
This way, you will comply with the Interim DFARS Rule and will also be prepared for every future development concerning CMMC.
Navigating through the complexities of CMMC can be both complex and overwhelming.
That’s why having an experienced partner to shoulder the responsibility would ease the pressure on you. We would love to chip in with our best efforts.
All it would take is an email allowing us to talk to you about it.