The Interim DFARS Rule and What It Means for You

The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020.

The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020. The decision sent over 300,000 members of the defense industrial base (DIB), mostly small and midsize businesses (SMBs), into a state of frenzy. Most found themselves drowning in all the unnecessary noise surrounding CMMC and its larger implications on existing and future government contracts.

The chaos increased when the Interim DFARS Rule (DFARS Case 2019-D041) joined the foray on November 30, 2020. This rule mandates all defense contractors to perform self-assessments of their cybersecurity efficacy using the NIST CSF (SP) 800-171 DoD Assessment Methodology.

Amid all the deliberation and scrutiny, let us try understanding the Interim DFARS Rule and its impact on you as a member of the DIB. In this short read, we will tell you what exactly the Interim DFARS Rule changed, what it mandates contractors to do and what your next immediate step should be if you do not wish to be penalized for non-compliance with this latest mandate by the Department of Defense (DoD).

What the Interim DFARS Rule Changed

This is not the first time the DoD has emphasized on the need for defense contractors to follow the 110 cybersecurity controls mentioned in the National Institute of Standards and Technology (NIST) Special Publication 800-171, generally referred to as “800-171.”

Even prior to the adoption of the CMMC, DFARS mandated most defense contractors to merely attest to the fact that they followed all the controls specified in 800-171. However, many non-compliant contractors and sporadic government audits led to controlled, unclassified information (CUI) leaked out of government contracts.

Therefore, in a bid to counter potential security threats, the Interim DFARS Rule performs complete self-assessments and formally scores their 800-171 compliance status based on a specific scoring system developed by the DoD. The post-assessment score would then have to be uploaded to a federal database – the Supplier Performance Risk System (SPRS).

The deadline for you to conduct a self-assessment and upload it to the SPRS database was yesterday (yes, you read that right) if you intend to accept any DoD-related contracts issued after December 1, 2020 that include the flow down of DFARS 252.204-7012.

Having understood the urgency with which you must approach complying with the Interim DFARS Rule, let us now look at how the interim rule scoring works.

Self-Assessment and The Scoring Matrix

During the self-assessment, contractor are expected to score themselves on the implementation of each of the 110 NIST (SP) 800-171 cybersecurity controls. The CMMC requires DoD contractors to conduct these self-assessments once every three years, unless anything necessitates a change in frequency.

The assessment scoring begins with a perfect score of 110 for each NIST 800-171 control. Points are then subtracted for every control that has not been implemented. Each control holds a point value ranging from one to five based on a control’s significance.

No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption. Although NIST does not prioritize security requirements, it does declare that certain controls bear greater impact on a network’s security.

Here are three things you must remember with respect to the self-assessment:

If you receive less than 110 points, you must generate a Plan of Action and Milestones (POA&M) document explaining how the deficiencies will be addressed and the failing items will be remediated. You can update scores as and when the loopholes are addressed and remediated.
As a contractor, you must also develop and submit a System Security Plan (SSP) with thorough details of implemented NIST 800-171 controls such as operational procedures, organizational policies and technical components.
Upon concluding the self-assessment, you must submit the results to the governmental SPRS database within 30 days.

Now that we have established all that you must do, there’s no time to waste. Here’s what you immediately need to do.

Get Assessment Ready Now!

While the DoD works out every little detail about CMMC and puts it out in the open by 2026, you just cannot wait about in anticipation. You must start gearing up to conduct a thorough and accurate self-assessment and do whatever it takes after that to fulfill today’s cybersecurity requirements. This way, you will comply with the Interim DFARS Rule and also be prepared for every future development with respect to CMMC.

Navigating through the complexities of CMMC can be both complex and overwhelming. That’s why having an experienced partner to shoulder the responsibility would ease the pressure on you.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

K12 Budgeting: Planning Your 1:1 Device Refresh Program Cost

As K12 education evolves, managing 1:1 device programs effectively is crucial. These programs, providing each student with a personal computing device, play a pivotal role in modern education. Success demands strategic planning, communication, foresight, and a holistic approach to device management. With digital learning on the rise, these devices are more than just tools for accessing information; they are platforms for interactive, core learning experiences. However, funding remains a significant hurdle, making effective budgeting for your device refresh program essential for optimizing ROI and device longevity.

Crafting a Futureproof 1:1 Device Strategy for School Districts

In the evolving landscape of Education Technology, crafting a futureproof 1:1 device strategy is crucial. This strategy should link every student, teacher, and administrator experience with specific device specifications. The integration of educational apps into the curriculum can significantly enhance the learning environment. These apps, tailored to the needs of students, can provide interactive content, fostering a dynamic learning experience.

Optimizing Your K12 Tech Investments: Funding 1:1 Device Programs

This blog will guide school districts grappling with the financial and resource demands of implementing a successful 1:1 device program amid ongoing challenges of budget constraints and competing priorities. Our guided workbook, created in partnership with Intel, provides further support with personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

K12 Cybersecurity: How to Secure 1:1 Devices in Your School District

This blog post delves into the importance of security, cybersecurity, and data privacy in school districts implementing 1:1 device initiatives. It offers basic steps for evaluating, planning, and executing a security strategy. Our guided workbook, created in partnership with Intel, provides a personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.

Ransomware Gangs Adding Pressure with ‘Swatting’ Attacks—Here’s What You Need to Know

Ransomware gangs are implementing new extortion tactics to encourage victims to pay up. Swatting is becoming an increasingly popular tactic. It involves calling law enforcement to falsely report a serious, in-progress crime triggering an extreme response such as an armed raid from the SWAT team. Explore how cybercriminals are using this tactic and what you can do to prevent it from happening to you.