Significant changes are confirmed for DoD contracts per a new Interim Rule to DFARS Clause 252.204-7012 published on September 29, 2020 and going into effect November 30, 2020.
All DoD contractors must act as soon as possible to ensure they will continue to qualify for contracts, task orders, and delivery orders with this DFARS clause.
The term "interim" should not be interpreted to mean that this is a temporary change. As a legal construct, the term "Interim Rule" means that these changes became effective immediately upon publication. The Interim Rule introduces a mandatory scoring system for contractor compliance that requires immediate action. It also takes the wind out of the sails of the Cybersecurity Maturity Model Certification (CMMC) rollout, delaying the DoD-wide requirement to October 1, 2025.
While the Final Rule may incorporate changes based upon comments from industry, Congressional oversight, and Lessons Learned; make no mistake that the Interim Rule is absolutely going into effect on November 30, 2020 and it will enforce compliance to qualify for DoD contracts.
There are several mandatory steps all DoD contractors should begin as soon as possible to continue qualifying for DoD contracts, task orders, or delivery orders that include DFARS Clause 252.204-7012 as of November 30, 2020.
In order to prepare for upcoming DoD requirements and defend against the ever-increasing risks and impacts of cyber attack, all DoD contractors should:
The Interim Rule further codifies the requirement that all DoD contracts, task orders, and delivery orders with Controlled Unclassified Information (CUI) include the DFARS Clause 252.204-7012 and requires compliance with the 110 controls specified in NIST Special Publication (SP) 800-171.
All contractors (and their subcontractors) will need to do the following for each system:
There are three assessment types:
|Assessment Type||DoD-Estimated Respondents (Annually)|
You've probably seen all the press about the urgency of preparing for CMMC the past few months.
Prior to this Interim Rule, CMMC compliance and a CMMC Assessment were to become mandatory for all DoD contracts with Controlled Unclassified Information (CUI) or Federal Contractor Information (FCI) as of January 2021, with assessments commencing in July 2021.
That will now occur only for contracts pre-selected by the OUSD(A&S) in a five-year phased approach beginning in 2021, until a universal rollout on October 1, 2025.
|Year||Level 1||Level 2||Level 3||Level 4||Level 5||Total|
|1||Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.|
|2||Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.|
|3||Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.|
|4||Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.|
|5||Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes|
Compliance scores in SPRS are expected to be used by DoD as either a formal or informal differentiator of suitability for contract award.
Unless forbidden by DoD, they will also undoubtedly be used by your competitors in marketing a competitive advantage. There is nothing in the Interim Rule regarding the publishing, sharing, dissemination, or advertising of scores.
The fundamental problem is that not all compliance scores are the same. "Medium" and "High" assessments are conducted by the government to a strict standard; however, "Basic" assessments are derived from self-attestation by the contractor on a pass/fail basis of 1 point per 110 controls.
Therefore, a contractor under pressure to maximize their compliance score is faced with decision-making on providing a strict, honest, and informed assessment of each control or risking increased vulnerability to cyber attack and allegations of misrepresentation / False Claims Act (FCA) violations.
This issue may be somewhat mitigated over time because DoD expects all contractors to eventually achieve a perfect score of 110, as evidenced by the Interim Rule requirement for the contractor to indicate in SPRS when they expect to achieve a perfect score. This requires the POA&M ("last plan of action") to be "complete" (i.e. no open weaknesses).
Achieving and maintaining compliance with ever-changing DoD Cybersecurity requirements is a significant challenge.
We at Peerless can help you navigate the complexities of DoD compliance with this new DFARS Interim Rule and assist you in preparing for self-assessment, internal audit, and third-party assessments of the many complex IT and Cybersecurity requirements in NIST SP 800-171 and CMMC.
Our goal is to help every DoD contractor meet their immediate and future compliance needs as efficiently and effectively as possible.
1. Peerless: The Complete Guide to CMMC
2. Peerless: The Complete Guide to NIST SP 800-171
3. Interim Rule for DFARS Clause 252.204-7012 ("DFARS 7012")
4. Defense Federal Acquisition Regulation Supplement (DFARS)
5. Cybersecurity Maturity Model Certification (CMMC) Accreditation Body
6. Supplier Performance Risk System (SPRS)
7. FedRAMP: Developing a System Security Plan (SSP)
8. FedRAMP: Developing a Plan of Actions & Milestones (POA&M)
9. DoD Assessment Methodology for NIST SP 800-171
10. NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
11. NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments
12. National Archives and Records Administration (NARA): Controlled Unclassified Information (CUI)
13. NARA: Federal Contract Information (FCI)
14. False Claims Act (FCA)
15. Assessing Security Requirements for Controlled Unclassified Information