While the new CMMC (Cybersecurity Maturity Model Certification) is being created, the Department of Defense has issued a new interim rule to supplement the existing DFARS regulations.
The CMMC timeline has been pushed back and is now expected to be implemented over the next five years. Since the DFARS has shown weaknesses in cybersecurity for the DoD, some interim improvements have become necessary until the CMMC can be fully launched.
These interim improvements will move from the self-assessment of the DFARS and create a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework. New requirements include a self-scoring methodology and reporting, as well as the announcement of increased audits at Basic, Medium, and High levels of scrutiny
5 Things You Need To Know Now
- The interim requirement takes effect on December 1, 2020 for all contractors that are subject to the DFARS 252.204-7012 clause based on their handling of Controlled Unclassified Information (CUI)
- You must complete a new NIST 800-171 Self-Assessment if you are a contractor that handles CUI. This assessment will be based on a new scoring methodology you must post your score in the Supplier Performance Risk System (SPRS) before you can get a contract.
- In your Self-Assessment you must complete a System Security Plan (SSP) with a Plan of Action and Milestones (POAM). This describes the current state of your network and your plan to reach 100% compliance with the NIST 800-171.
- The requirement must be passed down from all Prime Contractors to their subcontractors and suppliers that handle CUI as well.
- Random audits conducted by the DCMA will ensure companies completed the self-assessment, scored themselves accurately, obtained an SSP, and are working towards completing a POAM.
Interim Self-Assessment Scoring and Reporting
The NIST SP 800-171 DoD Assessment Scoring Methodology detailed in the Interim Rule will help contractors grade themselves with a standardized score that reflects the NIST SP 800-171 security requirements.
How NIST SP 800-171 DoD Assessment Methodology Scoring Works
In order to accurately assess a Contractor’s Implementation of NIST SP 800-171
- The NIST SP 800-171 DoD Assessment Method enables DoD to assess a contractor’s execution of NIST SP 800-171 on current contracts which include DFARS clause 252.204-7012, and to provide DoD Components with the summary level scores of these assessments completed by DoD. This creates an alternative to the traditional contract-by-contract approach.
- The NIST SP 800-171 DoD Assessment has three levels of assessment. The three types of assessments display the depth of the assessment, and the resulting level of confidence in the assessment results.
- Assessment of contracts containing DFARS clause 252.204-7012 is expected to be once every three years. Some factors, such as the risk and critical nature or a program or a change in security, may be cause for a change in assessment frequency.
There are a few steps you must complete in order to submit your basic assessment to SPRS. You must submit:
- Your system security plan name
- The CAGE code associated with the plan
- A description of the plan architecture
- The completed assessment date
- Your overall score
- The date that you will reach a score of 110
To ensure the legitimacy of reported results, there will be a greater frequency of random audits conducted. These check-ups will check the accuracy of self-assessment scores posted on SPRS as well as evaluate a company’s compliance with NIST.
Contractors will receive one of three assessment levels—Basic, Medium, or High—depending on the depth of the assessment and the level to which the contractor has implemented the security measures outlined.
What the Interim Rule Means for DoD Contractors
Contractors Need to Get an Assessment Immediately
Even if you have had an assessment recently, it would be wise to update that assessment and incorporate the new scoring methodology. It would be prudent for this assessment to happen quickly since, as of December 1, this will be required for all contractors with a 252.204-7012 clause in their agreement.
In the long term, contractors handling CUI need to reach CMMC Level 3 compliance and fulfill the requirements around this Interim Rule in order to position yourselves as CMMC Level 3 ready.
DFARS 252.204-7012 Is not Going Away
DFARS 7012 was created three years ago in order to better protect the DoD supply chain. CMMC has become the new focus as companies prepare to meet the new standards, but the announcement of the Interim Rule shows that CMMC is building on the foundation of DFARS 7012 and acting as the enforcement mechanism for the cybersecurity standards already in place.
The CMMC is a continuation of DFARS, and the Interim Rule is a procedure that helps bridge the gap between the two while the CMMC is still being enacted.
Get a Scored Assessment Now
Simpatico Systms and our partners at SysArc have helped hundreds of DoD contractors to understand the requirements of DFARS 7012 and NIST SP 800-171 and take necessary steps toward compliance. We help DoD contractors properly protect the confidentiality of CUI in order to remain in compliance with regulations and eligible for DoD contracts.
We are here to help you navigate the requirements of the Interim Rule and any other updates that may occur as the CMMC is rolled out and worked into existing DFARS requirements.
Immediate action is required to get prepared for the December 1 deadline and remain eligible for contracts. Contact us today to receive a new scored assessment, and we will do our best to guide you through the process of complying with DFARS, the New Interim Rule, and all future developments of the CMMC and DFARS.