On September 29, the Department of Defense (DoD) released an interim rule that amends the Defense Federal Acquisition Regulation Supplement (DFARS). The goal of the interim rule is to strengthen the cyber resiliency of the Defense Industrial Base (DIB), which has been dealing with increasingly sophisticated cyber threats from both state and non-state actors.
Building Better Cybersecurity Defenses
Before the release of the new DFARS interim rule, government contractors were required by DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” to provide adequate security for covered defense information by implementing NIST SP 800-171 and achieving compliance with each of its 110 security controls.
Unfortunately, not all contractors put the same amount of effort into implementing mandated security requirements, a fact which is clearly reflected in past cybercrime statistics. For example, the Council of Economic Advisers (CEA) estimated that malicious cyber activity had cost the US economy between $57 billion and $109 billion in 2016.
The new DFARS interim rule provides two solutions to the problem, one short-term and one long-term:
- The short-term solution imposes requirements for assessments of contractor compliance with NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, to guarantee that contractors can reliably protect sensitive information against current cybersecurity threats.
- The long-term solution is the Cybersecurity Maturity Model Certification (CMMC), which will require contractors to receive a CMMC certification to bid on new government contracts. CMMC was announced in January 2020, but it won’t be fully implemented until 2025.
Closer Look at the New DFARS Interim Rule
There are three clauses introduced by the new DFARS interim rule to assess contractor implementation of NIST SP 800-171 security requirements and initiate the five-year rollout of the CMMC.
DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)
DFARS 252.204-7019 requires contractors that process CUI to have a current assessment of NIST SP 800-171 compliance on file with the Supplier Performance Risk Management System (SPRS), whose purpose is to provide the government quantifiable past performance information regarding a contractor’s quality and delivery performance.
DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
DFARS 252.204-7020 defines three different NIST SP 800-171 assessment depths: basic assessment, medium assessment, and high assessment.
The biggest difference between them is that basic assessments are self-assessments, while medium and high assessments are performed by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) personnel.
Up to 110 points are awarded during the assessments, and all contractors who fail to get the perfect score are required to create a Plan of Action and Milestones (POAM).
DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements)
Finally, DFARS 252.204-7021 requires all contractors who want to bid on government contracts where this clause is included to have a current CMMC certification from an independent CMMC Accreditation Body (AB) at the maturity level designated by the contract (CMMC recognizes five different maturity levels).
All DoD solicitations except for commercial off-the-shelf (COTS) items will include it beginning on September 30, 2025.
Addressing the New DFARS Interim Rule
The DoD anticipates that the requirement to have completed a basic assessment alone will impact approximately 26,000 contractors over the next three years, while the CMMC will impact virtually the entire DIB, 74 percent of which are small businesses.
To remain competitive and successfully secure future government contracts, all contractors working for the DoD should immediately assess their cybersecurity posture against the 110 NIST SP 800-171 security controls and take the steps necessary to achieve the highest assessment score possible.
At Aligned Technology Solutions, we can help you close the security gaps that would otherwise prevent you from recording a perfect assessment score of 110 points in SPRS. With our help, you won’t have any trouble winning the most attractive contracts. Contact us today and let us support you on your cybersecurity maturity journey.