The Cybersecurity Maturity Model Certification (CMMC) became part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020 and was later updated to CMMC 2.0 in November 2021. This regulatory shift impacted over 300,00 defense industrial base (DIB) members, many of whom found themselves overwhelmed by conflicting information about what these changes meant for their existing and future government contracts.
Then, on November 30, 2020, the Interim DFARS Rule (DFARS Case 2019-D041) was introduced, further intensifying the compliance landscape. This rule mandates all defense contractors to conduct cybersecurity self-assessments using the NIST Special Publication (SP) 800-171 DOD Assessment Methodology to qualify for new contracts and renewals.
Understanding these evolving requirements is critical for every DIB member. In this blog, we’ll break down what the Interim DFARS Rule entails, how it affects you, and the steps you need to take to stay compliant and maintain your eligibility for government contracts.
What Changed in the Interim DFARS Rule?
This isn’t the first time the Department of Defense (DOD) has emphasized the importance of cybersecurity compliance. Defense contractors have long been required to adhere to the 110 cybersecurity controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, commonly referred to as "800-171."
Previously, most defense contractors simply attested that they followed these controls, but weak enforcement and sporadic audits led to significant cybersecurity vulnerabilities, including leaks of controlled unclassified information (CUI).
To address these risks, the Interim DFARS Rule now requires contractors to:
- Perform self-assessments using a specific scoring methodology to determine their level of compliance with 800-171.
- Upload their assessment scores to the Supplier Performance Risk System (SPRS) database to qualify for new contracts and renewals.
- Maintain up-to-date documentation to support their compliance claims, as they may be subject to DOD and prime contractor audits at any time.
This shift represents a more stringent approach to cybersecurity compliance, ensuring that contractors take cybersecurity seriously and implement the necessary security measures to protect sensitive government data.
Understanding the Self-Assessment and Scoring Process
As part of the self-assessment, defense contractors must evaluate their adherence to each of the 110 NIST 800-171 cybersecurity controls. The scoring methodology works as follows:
- Every contractor starts with a perfect score of 110.
- Points are subtracted for each control that is not fully implemented, with deductions ranging from one to five points based on the significance of the control.
- Partial implementation of controls does not earn partial credit—except in cases of multifactor authentication and FIPS-validated encryption.
- The final score must be submitted to the SPRS database within 30 days of the self-assessment.
If a contractor does not achieve a perfect score, they must create a Plan of Action and Milestones (POA&M) document outlining how they will address deficiencies and improve their security posture. Additionally, they must maintain a System Security Plan (SSP), which details the specific controls they have implemented, including operational procedures, organizational policies, and technical configurations.
Although neither the POA&M nor the SSP needs to be uploaded to the SPRS database, they must be readily available for audits.
Why You Must Act Now
The time to prepare for compliance is now. Even though CMMC is being rolled out in phases, the requirements under the Interim DFARS Rule are already in effect. Contractors who fail to meet these requirements risk losing their eligibility for future contracts and renewals.
Navigating the complexities of DFARS, CMMC, and NIST compliance can be overwhelming, but you don’t have to do it alone. With the right strategy and expert guidance, you can streamline your compliance efforts and secure your position as a trusted defense contractor.
Join Our Free Webinar to Get Ahead on CMMC Compliance
We know that compliance can feel like a moving target, but there’s no turning back on CMMC for federal contractors. The best time to start working on your CMMC certification compliance is now—before the requirements become even more rigid.
That’s why we’re inviting all DoD contractors and subcontractors to join our free CMMC Compliance Masterclass webinar. In this session, you’ll gain actionable insights into:
- How to accurately assess your cybersecurity posture under NIST 800-171.
- Common mistakes contractors make and how to avoid them.
- The exact steps you need to take to achieve compliance and protect your contracts.
At the end of the webinar, you’ll also receive a free CMMC Compliance Checklist—a practical guide to help you navigate your CMMC journey with confidence.
Don’t wait until it’s too late. Secure your spot today and take the first step toward ensuring your compliance and contract eligibility.
👉 Register Now for the Free Webinar
Compliance isn’t just about meeting requirements—it’s about securing your future in the defense industry. Let’s get started together!
