With the announcement of the U.S. Department of Defense’s (DoD) Federal Acquisition Regulations Supplement (DFARS 252.204-7012) Interim Rule last fall, DoD contractors have been searching for guidance and answers to new data protection and governance rules surrounding cybersecurity and the handling of DoD Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Here at CORTAC Group, we have a long history of helping defense industrial base (DIB) suppliers navigate the sea of complex legal, contractual, and industry regulations and requirements. We’ve created a straightforward explanation of what the DFARS interim rule means, and three steps you can take to keep your current defense contracts and help win future business with the DoD and other US federal agencies.
What is the DFARS Interim Rule?
The DFARS Interim Rule specifies three major points of interest for all prime contractors and their subcontractors.
- The rule requires suppliers to assess and report their compliance with the 110 cybersecurity controls found in NIST SP 800-171.
- The interim rule requires the reporting of the NIST SP 800-171 assessment into the Supplier Performance Risk System, or SPRS. SPRS is the single authoritative source for the DoD acquisition community to identify a supplier’s current state security and compliance posture. This information is used by DoD procurement officials in ongoing contract awards. In some cases, suppliers have been disqualified for not having a SPRS scope on record.
- The rule also establishes the new Cybersecurity Maturity Model Certification (CMMC) framework with specific supplier requirements based on the type of information received, stored, created, or transmitted as part of executing a DoD project. Over the next few years, CMMC will replace DFARS as the key DoD procurement tool to improve the Defense supply chain security and stop data exfiltration by nation states and criminals.
There’s a lot packed into these three items, so before outlining actions DoD suppliers should take to be compliant, let’s review the basics of each standard more carefully.
DFARS 252.204-7012 (NISTSP 800-171)
DFARS 252.204-7012, originally released in 2018, established new standards based on NIST 800-171, including 110 cybersecurity controls surrounding the protection of CUI in non-federal systems such as a supplier’s internal systems. Federal contractors were required to report breach incidents, as well as self-assess against the NIST 800-171 controls and maintain a Systems Security Plan (SSP) and a Plan of Actions and Milestones (POAM) for their company.
The new DFARS Interim rule establishes that not only will contractors be required to continue to adhere to NIST 800-171 standards, they will also be required to submit an assessment score to the SPRS system which acknowledges their compliance with requirements. Assessments scores can be updated as needed given the ongoing mitigation of POA&Ms and increased security & compliance posture.
Many DIB suppliers will be able to submit a self-assessment – known as the basic level assessment – however, contractors with higher levels of security (medium and high) may need to undergo an on-site government assessment through the Defense Contract Management Agency (DCMA) and allow access to facilities, systems and personnel.
By requiring suppliers to increase and report their current security and compliance posture and allowing DoD representatives to go on-premises, we are seeing a step forward in DoD enforcement. It also lays the groundwork for a 3rd party assessment and 100% compliance prior to future DoD contracts with CMMC requirements.
Differences Compared To Cybersecurity Maturity Model Certification
CMMC is different yet similar from DFARS 252.204-7012. CMMC builds on the DFARS requirements and cybersecurity standards and baseline defined in the NIST 800-171 which all types of suppliers needed to achieve. The DoD recognized that the “one size fits all” model was not optimized and thus established a new model based on the type of information a supplier handled. The more sensitivity in data the higher the level and associated practices and procedures required to be implemented.
The CMMC model is structured across five levels based on the level of cybersecurity maturity needed to meet specific contract requirements. Certifications for each level will be conducted by a third-party assessment organization known as a C3PAO. These C3PAO’s are certified by the independent CMMC Accreditation Board (CMMC-AB), a Department of Defense acknowledged accreditation body. CMMC Levels 1 & 2 are established as baseline security standards.
Levels 1 and 2 of the CMMC contain a combination of compliance with Federal Acquisition Regulations (FAR), NIST and other cybersecurity practices, while Level 3 and above must comply with all 110 controls of the NIST 800-171 and an additional 20 practices and 5 processes to ensure good cybersecurity practices and ongoing organizational maturity and resiliency.
Another key difference between DFARS 252.204-7012 and CMMC is that CMMC certifications will be given as a go/no-go decision by their CMMC Third-Party Assessor Organizations (C3PAOs) following a separate assessment. This means your organization either does or does not meet the specific certification level criteria. This is very important for companies to understand as they start planning for CMMC as it will likely impact their ability to keep or win future contracts. In plain language, organizations will need to achieve 100% compliance and maintain that compliance over the duration of an awarded contract. CMMC certifications will be good for 3 years and can be leveraged across your DoD contract awards.
While the DFARS 252.204-7012 and the CMMC share a common goal for improving cybersecurity, each framework is different. Important distinctions are outlined below:
Similarities between both standards include:
- Both standards are based on NIST 800-171 requirements & incident reporting to DoD
- Both were established to better data protection and handling of controlled unclassified information (ITAR/CUI)
- Both will require supplier reporting to the DoD to be included in acquisition and procurement processes
Three Steps You Need To Take Now
Starting a DFARS 252.204-7012 /NIST 800-171 or CMMC compliance journey can feel overwhelming. Achieving compliance however is a relatively straight-forward process. The key to taking action on the DFARS interim rule and starting your journey now is to understand your current security and compliance posture. It’s important early in your journey to identify the right tools for identifying compliance gaps and vulnerability and the right professional insights tailored to the specific needs of your company.
Here’s three steps you can take today that will help you get ahead of the curve and help your company keep valuable contracts and win new business in this rapidly changing marketplace:
- Understand your risks and obligations by baselining data protection and security gaps and vulnerabilities via a readiness assessment.
- Develop an executive business roadmap for attaining right-sized solutions that are cost optimized for your company to fill gaps and achieve audit ready status. Not everyone will need CMMC level 3 maturity.
- Proactively assemble the right set of actions to help you plan, implement, and maintain the specific requirements you need to successfully maintain your existing contracts and compete to win future contracts.
Conclusion
Companies pursuing a well-documented and well-implemented set of cybersecurity compliance practices, processes and documentation set themselves up for long term success. The DFARS interim rule is just the beginning. President Biden’s recent executive order on improving the nation’s security outlines more mandates to help better protect our nation against cyber threats. Regardless of company size, planning for the right IT investments in infrastructure, practices, and policies to meet compliance standards now will save you time and money later. We’re committed to helping your company preserve and protect its data and forge ahead confidently to win more business with the federal government.
Share with us your most pressing questions about the DFARS interim rule and CMMC. Learn more about our regulatory compliance services. To schedule a free consultation, email me directly at jerry.leishman@cortacgroup.com or call us at 1-833-530-2083.