What Is DFARS Interim Rule?
DFARS is a set of legal requirements demanding that all Department of Defense (DoD) contractors meet predefined cyber security standards.
In September 2020, the DoD released the DFARS Interim Rule that took effect on November 30, 2020. The new interim rule introduced three additional clauses to DFARS: 7019, 7020, and 7021, which primarily focus on NIST SP 800-171 self-assessment requirements and how the scores affect CMMC certification.
Under these rules, all DoD contractors and sub-contractors handling CUI (Controlled Unclassified Information) must self-assess their NIST SP 800-171 compliance and fill in their score in DoD’s SPRS (Supplier Performance Risk System). The score begins at 110 points. Points are deducted for every missing NIST SP 800-171 security control, and since some controls carry more than one point, it’s possible to have a negative score. As of November 30, 2020, the score must be reported before any contract can be awarded, and the self-assessment must be maintained during the contract period.
DFARS and CMMC
DFARS allows you to self-attest compliance with NIST SP 800-171, while CMMC confirms it. CMMC is not a DFARS alternative or replacement; the DoD only introduced it as a multi-level certification framework to cover contractors with different threat profiles and security maturity levels. The DoD realized a one-size-fits-all certification approach would be unfair to contractors that have to meet certain security standards that don’t necessarily apply to their line of work or business model.
CMMC Level 1 vs. Level 3
The CMMC certification framework consists of five maturity levels. CMMC Level 1 requires organizations to perform 17 basic cyber hygiene practices in FAR 48 CFR 52.204-21. These practices are not documented, so the maturity level is not assessed. CMMC level 3 is much more comprehensive. It encompasses all security practices and controls from NIST SP 800-701, including 20 additional practices for good cyber hygiene.
What is SSP & POAM?
If a contractor’s or subcontractor’s self-assessment score falls below 110 points, they must submit a POAM (Plan of Action and Milestones). A POAM is a document indicating the date and plans to fill the security gaps in order to achieve a maximum score. POAMs are not allowable in CMMC and must be addressed before certification.
The SSP (System Security Plan) is part of the NIST 800-171 security requirement. It shows a readable overview of an organization’s security posture, requirements, and security controls in place. An SSP review is the first step in assessing compliance with DFARS during a DoD contract consideration.
Start your compliance now – Get your SCORE NOW.
The DoD does not specify the minimum self-assessment score that guarantees a contract qualification. But a higher self-assessment score should definitely put you ahead of a lower-scoring competitor, at least where security readiness is concerned. And keep in mind there are no POAMs allowed for CMMC certification and thus the DoD will not award you any contracts requiring CMMC compliance.
It’s time you put in the effort to become DFARS-compliant. The DoD says that CMMC requirements will continue appearing in more contracts in 2021. And many existing and aspiring DoD contractors are already upping their security compliance game.