Your business has the potential to greatly assist the DoD — but only if you're getting contracts to come your way, and then winning them. In an increasingly compliance-focused future, winning contracts just isn't possible without a strong commitment to risk management and compliance.
Recently, the regulations around DoD contracts shifted, as the DFARS Interim Rule to Clause 252.204-7012 was born. This post will tell you why the new DFARS regulations matter to you, and how you can get started on the path to compliance — easily and right now — using our self-assessment tool.
Published September 29, 2020 and going into effect at the end of November, the rule means Department of Defense contractors must work diligently and quickly.
The new DFARS interim rule introduces a mandatory scoring system for contractor compliance that requires your business to take immediate action.
The Interim Rule went into effect on November 30, 2020 and you must learn to play by it if you want to continue qualifying for DoD contracts, task orders, or delivery orders that include DFARS Clause 252.204-7012.
However, it's important to keep our heads: November 30 wasn't the deadline for a perfect score on the assessment. It just meant that the contracts you compete for will now feature this requirement. And now that the requirement is in place, you can be in the perfect spot to compete. Here's how:
You can get from Point A (where you are today) to Point B (compliance with the Interim Rule) with this tool. The mandatory steps you need to take, as soon as possible, are as follows:
Follow the steps located in the table in the top right of the tool to go from start to finish.
If you have access to all of your company's IT and security information and documentation, you may be able to perform the self-assessment on your own completely. However, we recommend gathering a couple of key resources before you dive in to make it run smoothly.
Getting access to the right people to help with assessments is a great first step. Your IT staff should be aware of all of the processes, technology and policies your company has in place, and cybersecurity analysts should understand each of those facets. They should be adept at contrasting them with in-depth compliance requirements.
This should be conducted by analysts knowledgeable in audits of each specific cybersecurity control, especially NIST SP 800-171 and the associated assessment objectives.
These analysts can also help you produce a System Security Plan (SSP) and a Plan of Actions & Milestones (POA&M), both of which are required for success with your compliance milestones — and your success with DoD contracts.
You'll need to know all about the systems and processes you have in place — even the fringe ones. You'll need to discover and aggregate all Standard Operating Procedures (SOPs) and policies and process documentation.
As mentioned, you should interview anyone responsible for Information Technology in your organization, such as your system administrators or your network architects.
You should also interview your physical security team members — Facilities, for instance. Make sure you make contact with anyone who has a key ring. What policies are they following?
And of course, if a team member touches cybersecurity or information technology in any form, they should contribute to your assessment effort. If you have a regulatory manager, a compliance analyst, a systems operation officer, a data protection officer, an identity access management manager, or anything directly or even tangentially related to constructing your cybersecurity policies, make sure you've sourced their knowledge for this assessment.
The self-assessment tool is meant to be straightforward and comprehensive, to help you get ahead of compliance and stay competitive. Compliance, however, is complex any way you cut it. The world of defense contracts is high stakes, and the U.S. Government is doing what is necessary to increase security protocols within the Defense Industrial Base (DIB) in order to protect our national security.
Scores that are inaccurate or fail to show due diligence may be considered a contractual misrepresentation and/or violation of the False Claims Act. This can result in loss of contract, fines, and/or suspension of the ability to continue doing business with the U.S. Government.
That's why it's imperative that your score is vetted by professionals before being submitted. Submitting false information or false claims will lead to serious risks (we're talking fines and possibly jail time). Don't push your score to the Supplier Performance Risk System without assessing the risk of doing so, and understanding the score in depth.
There are dozens of reasons you'd want a high score. The main reason is that you win, and your competitors lose; a higher score will give you an advantage when it comes to winning tightly contested contracts. More important than winning a contract, though, is a high score will indicate proper data hygiene and enhanced cybersecurity.
No one starts their compliance journey, even the interim rule journey, with a perfect score. Even if you have a negative score, what's important is knowing where you stand.
Complete your self-assessment sooner rather than later to identify any gaps and set a remediation plan in motion. The sooner you know your score, the sooner you can identify priority changes and begin implementing them.
And the sooner you start down the road to compliance, the more likely you are to beat your competitors when Interim Rule to DFARS Clause 252.204-7012 — and any other CMMC rule or shift — is in full effect.
To learn more about the impact of scoring, the different assessment levels, and what you need to do to prepare for the future, click here to read our more in-depth post on this topic and every detail of becoming compliant.
Achieving and maintaining compliance with ever-changing DoD Cybersecurity requirements is a significant challenge.
We at Peerless can help you navigate the complexities of DoD compliance with this new DFARS Interim Rule and assist you in preparing for self-assessment, internal audit, and third-party assessments of the many complex IT and Cybersecurity requirements in NIST SP 800-171 and CMMC.
Our goal is to help every DoD contractor meet their immediate and future compliance needs as efficiently and effectively as possible.
1. Peerless: The Complete Guide to CMMC
2. Peerless: The Complete Guide to NIST SP 800-171
3. Interim Rule for DFARS Clause 252.204-7012 ("DFARS 7012")
4. Defense Federal Acquisition Regulation Supplement (DFARS)
5. Cybersecurity Maturity Model Certification (CMMC) Accreditation Body
6. Supplier Performance Risk System (SPRS)
7. FedRAMP: Developing a System Security Plan (SSP)
8. FedRAMP: Developing a Plan of Actions & Milestones (POA&M)
9. DoD Assessment Methodology for NIST SP 800-171
10. NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
11. NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments
12. National Archives and Records Administration (NARA): Controlled Unclassified Information (CUI)
13. NARA: Federal Contract Information (FCI)
14. False Claims Act (FCA)
15. Assessing Security Requirements for Controlled Unclassified Information