The Defense Federal Acquisition Regulation Supplement (DFARS) incorporated the Cybersecurity Maturity Model Certification (CMMC) in January 2020, which was updated to CMMC 2.0 in November 2021. This decision impacted over 300,000 members of the defense industrial base (DIB), and many were overwhelmed by the noise surrounding CMMC and its implications for current and future government contracts.
The chaos intensified when the Interim DFARS Rule (DFARS Case 2019-D041) was introduced on November 30, 2020. This rule mandates that all defense contractors must conduct cybersecurity self-assessments using the NIST CSF (SP) 800-171 DOD Assessment Methodology to qualify for new defense contracts and renewals of current contracts.
Despite the discussions and scrutiny, it is essential to comprehend the Interim DFARS Rule and its impact on DIB members. This blog discusses the changes in the Interim DFARS Rule, the requirements for contractors, and the necessary steps to comply with the latest mandate from the Department of Defense (DOD).
What has changed?
The Department of Defense (DOD) has previously emphasized the importance of defense contractors adhering to the 110 cybersecurity controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which is commonly referred to as "800-171."
Even before the implementation of the Cybersecurity Maturity Model Certification (CMMC), the DFARS required most defense contractors to simply attest that they followed all the controls specified in 800-171. However, non-compliant contractors and infrequent government audits resulted in the leakage of controlled unclassified information (CUI).
To mitigate potential security threats, the Interim DFARS Rule mandates that contractors conduct self-assessments and formally score their compliance status with 800-171 using a specific scoring system developed by the DOD. Contractors must then upload their self-assessment score to a federal Supplier Performance Risk System (SPRS) database to be eligible for new contracts and contract renewals.
Now that you have an understanding of the significant changes in the Interim DFARS Rule, let's delve into how the rule's scoring system operates.
Self-assessment and the scoring matrix
Contractors are required to rate themselves during self-assessment based on the implementation of each of the 110 cybersecurity controls outlined in NIST (SP) 800-171. The CMMC mandates that DOD contractors conduct these self-assessments once every three years unless circumstances require more frequent assessments. As contractors are subject to DOD and prime contractor audits at any time, it is essential to maintain cybersecurity controls and have up-to-date documentation to validate compliance.
The assessment scoring system starts with a perfect score of 110 for each NIST 800-171 control. Points are then deducted for non-implementation of controls, with each control having a weighted point value ranging from one to five based on its significance. Partially implemented controls do not receive any credit, except for multifactor authentication and FIPS-validated encryption. Although NIST does not prioritize security requirements, it acknowledges that some controls have a more significant impact on network security than others.
As a contractor, you need to keep in mind the following four important things when it comes to self-assessment:
- If you don't receive a perfect score of 110 points, you must create a Plan of Action and Milestones (POA&M) document that outlines how you will address the deficiencies and remediate the failing items. You can update your score once the issues are resolved.
- You are required to develop a System Security Plan (SSP) that outlines the implemented NIST 800-171 controls, including operational procedures, organizational policies, and technical components.
- Neither the SSPs nor POA&Ms are uploaded to the federal database, but they must be available for audit.
- After completing the self-assessment, you must submit your scores to the governmental SPRS database within 30 days.
Now that we’ve established everything you must do, there’s no time to waste. Let’s talk about how we can help.
Be Assessment-Ready Now
In order to be eligible for new contracts and renewals during the implementation of CMMC, it is necessary to begin preparing for a comprehensive and precise self-assessment and take all necessary steps to meet current cybersecurity requirements. This will ensure compliance with the Interim DFARS Rule and readiness for any future developments related to CMMC.
The process of navigating through the intricacies of CMMC can be complicated and daunting. Therefore, partnering with an experienced team like ours can help alleviate the stress. Contact us today to have our security experts on your side.
