What Does The DFARS Interim Final Rule Mean For You?
Have you reviewed the Interim Final Rule released by the DoD at the end of last year? If you plan to keep bidding on defense contracts, you need to get up to speed.
The DoD recently released its Interim Final Rule. In addition to setting a deadline for NIST compliance and a timeline for CMMC compliance, the document also laid out a number of additional DFARS clauses.
Do you know what these clauses are, and what they mean for you as a defense contractor?
NIST 800-171 & CMMC Compliance 101
If you don’t have time to review the Interim Final Rule in detail or have any questions about it in general, make sure you understand the points laid out in this article at the very least. It provides an overview of the DFARS Interim Final Rule and the next steps you need to take to prepare for your NIST 800-171 self-assessment and CMMC compliance.
Beyond submitting your NIST 800-171 self-assessment and CMMC compliance considerations, there are other aspects of the Interim Final Rule you need to take note of.
Interim Final Rule Adds Clauses To DFARS
DFARS 252.204-7019
This clause sets a requirement for an assessment of NIST 800-171 from Nov. 30, 2020, onward. Building off the DCMA program, it will act as the bridge to CMMC over the coming years.
Assessments fall into three categories:
- Basic (self-assessment)
- Medium (conducted by DCMA)
- High (conducted by DCMA)
The results of any such assessments are required to be uploaded to the Supplier Performance Risk System (SPRS). The SPRS will act as the central database, holding results of NIST assessments and the CMMC certifications for DoD review.
DFARS 252-204-7020
This clause lays out two requirements:
- Contractors are to provide access to “facilities, systems, and personnel” in support of assessments.
- “Subcontractors have results of a current assessment in SPRS prior to contract award.”
These requirements consolidate all assessment-associated info and ensure that assessors can access systems for the purpose of an assessment.
DFARS 252-204-7021
This clause requires CMMC to be included in all contracts moving forward from the deadline. The details of CMMC compliance align with previous versions released by the DoD.
Furthermore, it’s important to note that DFARS 252.204-7012 hasn’t been modified. This means the underlying requirements for FedRAMP Moderate, NIST 800-171, and clauses (c) through (g) will continue unchanged.
3 Things You Need To Understand About Self-Assessment
In the process of self-assessing your compliance, you will need to score your organization on the implementation of each of the 110 NIST (SP) 800-171 cybersecurity controls. Under CMMC, you are expected to conduct a self-assessment once every three years.
You begin the assessment with a perfect score (110, for each NIST 800-171 control), and points are deducted for any controls not implemented. Depending on the control’s significance, it could be worth anywhere from 1-5 points.
When conducting your self-assessment, keep the following in mind:
- In the event that you end up with fewer than 110 points, you will be required to develop a Plan of Action and Milestones (POA&M) document, which will detail the areas that require remediation. Your score can be updated as you make changes.
- Contractors like yourself must also have a System Security Plan (SSP) in place, which lists all implemented NIST 800-171 controls.
- When finished with your self-assessment, you must submit the results to the governmental SPRS database within 30 days.
How Much Time Do I Have To Comply?
While the Interim Final Rule took effect on Nov. 30, 2020, it was not expected to be an overnight process. You were expected to be NIST compliant by that time, but CMMC compliance will be rolled out after the fact. There is a five-year time frame detailed in the Interim Final Rule to walk contractors through CMMC compliance.
What Should I Expect Of The Certification Process?
While the DoD and the CMMC-AB are doing their best to lay out a careful and straightforward process, you can expect road bumps. After all, there are over 200,000 companies that will need to eventually be certified, but at the moment, there are not nearly as many auditors.
Throughout 2021, it is expected that the CMMC-AB will be assisting with pairing C3PAOs with contractors that require certification in order to bid on DoD contracts. During that time, you will not be able to seek out a C3PAO outside of these pairings.
Need Expert Assistance Reviewing NIST 800-171 and CMMC Requirements?
Our team is available to help you analyze your current compliance with NIST 800-171, as well as identify what is needed to meet the new standards required for CMMC certification. Doing so will make your business more secure, effective, and competitive in the market.
Becoming compliant with our expert assistance is easy:
- Contact our team and book your Readiness Assessment at a time that fits your schedule
- Our team will assess your environment and IT tools to determine your current state and challenges
- Our team will lay out the necessary steps for your company to meet NIST 800-171 and CMMC requirements