The Ins and Outs of the DFARS Interim Final Rule
The Ins and Outs of the DFARS Interim Final Rule
DFARS Interim Final Rule
Controlled Unclassified Information (CUI) has to be protected. The control and security of this information have been at the forefront of the concerns at the Department of Defense (DOD) for quite some time. As far back as November of 2010, the White House issued Executive Order (EO) 13556 to create a uniform program across Civilian and Defense agencies for managing safeguarding or dissemination of information pursuant to and consistent with law, regulation, and Government-wide policies. In 2014, the National Institute of Standards and Technology (NIST) issued a regulatory document entitled Special Publication 800-171. This requirement was developed to ensure that those working with the Department of Defense would have methods to meet the requirements in place to protect sensitive information.
By December 31, 2017, approximately 300,000 companies were required to comply with NIST 800-171. Defense Federal Acquisition Regulation Supplement (DFARS) issued Clause 252.204-7012 to force contractors to comply with NIST 800-171 framework. In September of 2020, an interim final rule amended DFARS 252.204-7012 which implements the Cybersecurity Maturity Model Certification (CMMC) program. This interim rule went into effect on November 30, 2020, and is a two-pronged approach introducing a mandatory construct. The interim rule requires every DOD contractor to complete a self-assessment to NIST 800-171 standards and helps to bridge the move from DFARS 252.204-7012 to CMMC certification by 2025.
After an audit of IT systems of DOD contractors that discovered DOD contractors had not consistently presented the mandated controls and security requirements of DFARS 252-204-7012, the interim rule was implemented. The Undersecretary of Defense believed only 1% of defense companies had implemented all 110 controls required by NIST 800-171. These assessments drove the implementation of the interim final rule. Compliance with regulations is of utmost importance, especially in light of the recent attack on the federal government by suspected Russian hackers that may have infiltrated as many as 40 companies, government agencies and think tanks. If you are overwhelmed by the nuances of compliance, HRCT is here to help. Read on for more information about the interim rule and how to make sure you are compliant.
Who is Affected by the Interim Rule?
All DOD contractors and subcontractors excluding COTS (commercial off the shelf hardware or software) are affected by the interim final rule. All DOD contractors must complete the NIST 800-171 self-assessment score for a contract award. The top five North American Industry Classification System (NAICS) codes impacted by the interim final rule are estimated to be:
- 541712 R & D in the physical, engineering and life sciences
- 541330 engineering services
- 236220 commercial and institutional building construction
- 541519 – other computer-related services
- 561210 – facilities support
At the time the interim final rule was issued, the DOD conducted regulatory analysis and determined that the estimated cost to become compliant cannot be associated with this interim final rule because contractors should have already implemented cybersecurity requirements listed in NIST 800-171.
What are the Differences and Requirements of the Interim Rule?
There are three portions of the interim final rule: 252.204-7019, 252.204-7020, and 252.204-7021. 7019 and 7020 go into effect immediately. The chart below spells out the major differences between the regulations.
|Existing DFARs 252.204-7012||NEW DFARS 252.204-7019||NEW DFARS 252.204-7020||NEW DFARS 252.204-7021|
|Who is required||Contract with DFARS 252.204-7012||New Contract/Subcontract, TO, DO||New Contract/Subcontract, TO, DO||Progressive flow out starting with significant new contracts|
|When required||NOW||Prior contract award||After Contract Award||Before Contract Award|
|How required||Self-attestation||Self Assessment||DOD Assessment||Certified Third Party Assessing Organization (C3PAO)|
|What required||NIST 800-171 with system security plan (SSP) allowing for Plan of Action Milestones||NIST 800-171 Assessment
Methodology Program includes a description of SSP, Score and date all requirements expected to be completed
|NIST 800-171 Assessment Methodology Program for Medium and High-Risk contracts includes thorough examination of SSPs, POAMs, and related documentation. In high-risk cases, extends to validation||CMMC qualifications/certification|
|110 Controls||110 Controls||110 Controls||130 Practices (included 110 controls)
|Weighted Score of 110/Risk Assessment||Weighted Score of 110/Risk Assessment||Pass/Fail Audit|
|Where documented||Honor System Self Attestation||Supplier Performance Risk System (SPRS)||Supplier Performance Risk System (SPRS)||Supplier Performance Risk System (SPRS)|
|How often||Every 3 years||Every 3 years||Every 3 Years||Every 3 Years|
A perfect score on the NIST 800-171 is 110. The assessment methodology is theoretically objective, utilizing a weighted assessment methodology based on the impact of each control on the information system. When performing the assessment, businesses should start with a perfect score and self-score, subtracting points for any control that is not fully implemented. Of the 110 controls, there are 42 controls worth 5 points, 14 controls worth 3 points and 54 controls worth 1 point. It is possible to have a negative score.
Portions 7019 and 7020 are a bridge to the new standard 7021. Section 2021 mandates the new CMMC. Given the fact that 7019 isn’t fully objective and DOD doesn’t have the ability to review every company, the CMMC program allows DOD to roll out a comprehensive and scalable program for 3rd parties to complete reviews. A full explanation can be seen at https://.acq.osd.mil/cmmc/index.html The ultimate goal is that CMMC will be in all contracts by October 1, 2025. CMMC has 5 levels. Most companies will need to meet compliance with level 3. Level 3 CMMC compliance requires all 110 controls of NIST 800-171 plus an additional 20 practices from CMMC. The controls fall under various domains within the categories of IT Tools, technical configurations and administrative (policies, standards and procedures).
What do you Need to Comply and How do you Submit Compliance?
There are several steps necessary in order to achieve NIST compliance. The NIST 800-171 Self-assessment is integral. First, make sure you have your systems security plan (SSP) and plan of action milestones (POAMs). You need to have a procurement integrated enterprise environment account (PIEE) account or create an account. Within your PIEE account, the SPRS cyber vendor role needs to be marked active. You will also need the date of assessment, summary level score, the scope of assessment (commercial and government entity (CAGE) codes) and the plan of action completion date. This is the date that a score of 110 is expected to be achieved on the NIST 800-171. These specific steps are listed below:
Step 1: Gain PIEE Access – landing page is https://piee.eb.mil/piee-landing/
- Navigate to “My account”
- Add additional roles
- Choose Supplier Risk Performance System (SPRS) “cyber vender” user
- Complete justification and agreement and submit for approval
Tips can be found on www.sprs.csd.disa.mil. In several days you’ll get an email confirmation. At that point, you can continue.
Step 2: Gain SPRS Access
- Navigate to the PIEE landing page
- Click login
- Select SPRS icon
- Select NIST 800-171 assessment
Step 3: Submit Your Assessment
- Assessment database
- Header view – displays past assessments
- Create new header
- Put in CAGE code/company name/confidence level
- Click add new assessment
- Enter assessment details including the date, score, scope, plan of action completion date, included CAGE
If you have issues with submission, several common errors may have occurred. Make sure you have a CAGE code and make sure “cyber vendor” user is set to active. If you still need help, the easiest way is to contact the help desk by calling 866-618-5988 or checking out these useful links https://wawf.eb.mil/piee-landing; https://www.sprs.csd.disa.mil/default.htm; https://uhttps://wawf.eb.mil/piee-landingsfcr.com/sam-registration/ https://www.sprs.csd.disa.mil/pdf/NISTSP800-171QuickEntryGuide.pdf
Planning for 2021: What are the Steps You Need to Take to Achieve Full CMMC Compliance?
There are several steps that you can take now to improve your assessment score and prepare for CMMC compliance. We recommend the following:
- Assess your current environment and future needs
- Determine your level of CMMC compliance necessary
- Review of current SSP and POAMs
- Develop a plan for NIST 800-171 and CMMC compliance
- Review existing policies and procedures
- Review physical security practices
- Identify/document gaps
- Provide security assessment report (SAR) and POAMs
- Document policies and procedures
- Implement IT Plan
- Finalize system security plan (SSP)
- Continuously monitor and remediate IT issues, continuously audit/evidence collection to demonstrate compliance
- Support internal self-assessment at least annually
There are multiple risks associated with non-compliance like lost revenue and an inability to secure additional contracts, in addition to possible civil and criminal penalties.
If you are overwhelmed with the interim final rule and need someone to remove the burden of cybersecurity compliance and technology challenges, call on HRCT to help at (800) 319-1878. Our technical experts can ensure you meet the requirements of the DOD with a completely outsourced, innovative and comprehensive managed services model.