The Department of Defense (DoD) released the DFARS Interim Final Rule in September 2020, which went into effect on November 30, 2020. Its primary objectives are to clarify that Cybersecurity Maturity Model Certification (CMMC) will be the new framework for DoD contracts and inform contractors that they must report their compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. These dual mandates allow the Interim Rule to address defense contractors’ security and compliance gaps in preparation for the CMMC rollout.
The Interim Ruling will impact any work subject to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which essentially includes all DoD projects for both prime contractors and subcontractors. This DFARS clause requires defense contractors who handle CUI to implement the cybersecurity controls described in NIST SP 800-171. The Interim Rule also strengthens NIST SP 800-171’s self-assessment requirement, easing the transition to CMMC certification.
Beryllium InfoSec Collaborative has experts in security issues who can provide the physical and technical protection of defense information required by DFARS. In addition, our CUICK TRAC solution helps DoD contractors and sub-contractors process controlled unclassified information (CUI). Call us today at 763-546-8354 or schedule your free consultation online.
The Council of Economic Advisors (DEA) estimates that cyberattacks cost the U.S. economy between $57 billion and $109 billion in 2016. Since then, the DoD has focused on improving the Defense Industrial Base's cybersecurity (DIB). Recent high-profile data breaches have underscored the DoD’s growing concerns about security, causing it to move beyond the previous self-attestation system and progress towards a verification system that includes audits. These changes will provide greater protection of sensitive government information. The interim rule is one of many efforts the DoD is making to better protect the DIB and the rest of the Defense Supply Chain (DSC), which generally involves increasing the requirements of FAR and DFARS.
The new DFARS interim rule's primary changes are adding three new clauses, including 252.204-7019, 7020, and 7021. It also contains a new subpart, Subpart 204.75, which specifies the policies and procedures for awarding contracts and exercising options on existing contracts.
DFARS clause 252.204–7019 requires contracting officers to assess their organization’s cybersecurity posture on record. This information is stored in a government database called the Supplier Performance Risk System (SPRS). All DoD solicitations must contain the language indicated by this clause unless they only involve commercially available off-the-shelf (COTS) products or services.
DFARS clause 252.204–7020 specifies the NIST 800-171 assessment methodology that contractors must use when conducting basic assessments. The Under Secretary of Defense for Acquisition and Sustainment introduced this method in November 2019, which the Defense Contract Management Agency (DCMA) has used to audit contractor compliance. The NIST methodology provides a scorecard that gives contractors a better picture of their compliance with the 110 security controls described in NIST SP 800-171.
All DoD contracts and solicitations must include the language in clause 7020 unless they only involve acquiring COTS products or services. It also requires contractors to allow the government to access facilities, personnel, and systems if they want more than a basic assessment.
DFARS clause 252.204-7021 specifies that the CMMC framework requires contractors to receive a certification verifying their implementation of specified cybersecurity practices and processes. Furthermore, this clause requires contractors to protect the information they’ll handle if they win the new contracts they’re pursuing. The requirements of this clause are separate from the DoD assessment methodology.
The new requirements in the DFARS interim rule essentially mean that contractors need to perform an accurate assessment of their security posture according to the NIST assessment methodology and record the results of that assessment in SPRS by the time of contract award, which has the new DFARS requirements. These assessments are required for all contract actions after this date, including the exercise of options. The contractor must perform a Basic assessment, but the DoD may also choose to conduct a Medium or High assessment, depending on the DoD assessment requirements for the information the contractor is handling. The DoD hasn’t yet provided guidance on how or when it will make this award after awarding the contract.
The DFARS interim rule defines three levels of assessment, including Basic, Medium, and High.
The basic assessment level is a self-assessment that the contractor performs. The contractor uses the NIST 800-171 to determine which of the 110 controls it has implemented. The maximum score with this methodology is 110. According to their scorecard, contractors subtract a specific number of points for each control they haven’t implemented.
The number of points each control is worth indicates their relative impact on covered contractor information systems' security, so some controls are worth more than one point. The scoring methodology generally doesn’t allow partial credit for partially implemented controls, except for FIPS-validated encryption and multi-factor authentication. Since there are 110 controls, it’s possible for a contractor to have a negative score. The total value of all the controls is 313 points, so the lowest possible score on the self-assessment is -203 points.
The contractor must record the total score in the SPRS within 30 days of completing the assessment, along with the date by which they expect to achieve full compliance with NIST 800-171. The basic assessment has a low level of confidence because it’s self-generated.
The government conducts a medium assessment, including a review of the contractor’s Basic assessment, a thorough review of their document, and additional information from the contractor. Contractors must also allow the government access to their facility, systems, and personnel to complete this assessment. A medium assessment has a medium confidence level.
A high assessment includes everything in the medium assessment, but also adds an examination, verification, and demonstration that the contractor’s security plan actually meets the requirements of NIST 800-171. This assessment has a high confidence level.
The DFARS interim rule doesn’t specify a minimum score for the self-assessment that contractors must achieve to do business with the DoD. However, the DoD may consider this score when awarding contracts. A low self-assessment score means that a company may pose a greater security risk and is, therefore, less likely to receive a contract.
A self-assessment score less than 110 also creates a business risk for a contractor because it triggers a Plan of Action and Milestones (POAM), which CMMC doesn’t allow. A contract that requires Level 3 CMMC compliance also has 20 additional cybersecurity requirements, beyond the 110 of NIST SP 800-171. The DoD has stated that contracts with these requirements will begin appearing in early 2021 and increase in frequency.
Beryllium can help contractors through the process of achieving DFARS compliance in a cost-effective manner. The implementation of NIST SP 800-171 controls makes it very difficult for attackers to access CUI, which should be the real reason for developing “adequate security.” This process is often challenging, especially for small-to-medium size businesses (SMBs) that lack the resources and expertise needed to implement these measures themselves. Beryllium offers contractors multiple options for meeting the requirements of DFARS 252.204-7012, 7019 and 7020.
The key takeaways for the DFARS interim rule include the following:
1. It took effect on December 1, 2020.
2. It applies to contractors who are subject to DFARS clause 252.204-7012, which essentially means contractors who handle CUI.
3. These contractors must complete a new, accurate, NIST 800-171 self-assessment based on the new scoring methodology. They must also post their score on the self-assessment in the SPRS before they can receive a contract.
4. The self-assessment must include a System Security Plan (SSP) with a POAM that describes the current state of the contractor’s network. The SSP must be completely compliant with NIST 800-171 requirements.
5. These requirements apply to all prime contractors, subcontractors, and suppliers that handle CUI.
6. DCMA will conduct random audits to ensure contractors have completed the self-assessment, scored themselves accurately, created an SSP, and are developing a realistic POAM.
Contractors who perform DoD procurement should already have a sense of urgency in starting the process for achieving NIST 800-171 compliance. A poor assessment score in a government database makes contractors less competitive and may hurt their reputation with stakeholders such as sub-contractors, suppliers, and other partners. It’s therefore in the contractor’s best interest to make as many improvements as possible before performing the self-assessment while still submitting the score to the SPRS by the deadline required by the contract.
The three types of NIST 800-171 assessments differ in their validation and documentation requirements, but the scoring methodology itself is the same for all of them. If you’re responsible for your company’s NIST 800-171 compliance, you can determine how much work is ahead of you by performing a preliminary assessment. Using a 3rd party with subject matter expertise is highly recommended. This procedure will give you a general idea of your current status and what you can change before performing the formal self-assessment. If your company has never performed a NIST 800-171 self-assessment before, you should expect the preliminary assessment score to be quite low.
The best strategy for improving the self-assessment score is often to focus on the high-value items first. While there are 110 controls worth a total of 313 points, 35 of those points are concentrated in the following seven controls:
The entries above show the NIST 800-171 section numbers of the controls that are worth up to five points. Control 3.5.3 deals with multi-factor authentication (MFA). This control is worth five points if the contractor implements MFA for all users and three points if it only implements MFA for remote and privileged users. The other six controls on this list are worth five points if the control is fully implemented and zero points if it isn’t fully implemented.
However, all of these compliance requirements for contractors will require time and dedicated resources to obtain. DoD has required NIST 800-171 compliance from its contractors who handle CUI since 2017, as mandated by DFARS clause 252.204-7012. However, the DFARS interim rule is an emergency measure for DoD contractors who still aren’t compliant, showing how the DoD is clamping down on this problem. Beryllium can serve as a strategic partner in achieving compliance through our CUICK TRAC solution.
The work needed to perform NIST 800-171 assessments since the Pentagon issued an interim rule will be more than the DoD seems to think. The DoD estimates that a basic assessment will cost the average contractor less than $50 to perform and another $25 to post the results in SPRS, resulting in a total cost of less than $75. However, these figures don’t account for the additional time that senior executives will need to spend in getting their companies compliant through remediation
The DoD also estimates that the interim rule’s requirement for a basic assessment will affect more than 26,000 small businesses. However, it provides no details on how businesses should handle basic assessments while struggling with the COVID-19 pandemic. While all contractors must perform the basic assessment, only a limited number will receive medium and high assessments. The DoD expects to perform 200 medium assessments per year, including 148 on small businesses. About 110 contractors will receive high assessments from assessors each year, with 81 of those on small businesses. That said, information posted now will be used for future assessments, making accuracy and plan execution a crucial part of compliance.
Beryllium can prepare DoD suppliers for the DFARS interim rule with CUICK TRAC. This practical, cost-effective solution helps contractors and sub-contractors receive, process, and transmit CUI. CUICK TRAC helps businesses work with the federal government by becoming compliant with DFARS and NIST 800-171 requirements, especially those that lack the bandwidth and resources to implement security controls by themselves. Beryllium also offers additional DFARS solutions for helping defense contractors stay compliant.
Primary contractors can use CUICK TRAC as a vendor risk management solution for their supply chain. Sub-contractors can use it to become compliant much more quickly and at a fraction of the cost of doing it themselves. CUICK TRAC saves contractors an average of more than $100,000 and typically gets them DFARS compliant within weeks, not months/years. This solution is also useful for contractors who need to meet emerging CMMC requirements to receive future contract awards. These certifications include five compliance levels, ranging from “Basic Cybersecurity Hygiene'' to “Advanced and Progressive."
Make CUICK TRAC your next step in obtaining DFARS compliance and prepare for CMMC certification. We offer free consultations for clients who need to implement the NIST 800-171 controls. You can reach us at 763-546-8354 or by contacting us online.