By Marilyn Fritz, CISSP, CISA, ITIL, PMP
The new DFARS Interim Rule that went into effect November 30, 2020 is a game changer for any entities that have or are pursuing Defense Industrial Base (DIB) contracts or subcontracts. Prior to the new Interim Rule, contractors and sub-contractors could self-attest that they met DoD cybersecurity requirements specified in NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. A key component of the new regulation is that contractors must demonstrate that they understand the requirements, are working towards compliance, and can provide a timeline when compliance will be complete. For DIB contractors relatively new to these cybersecurity requirements, the most important set of actions would be to understand what this will take – and to make a plan to get there.
The need for this newest set of regulations has been underscored by relentless and ever-increasing numbers of cyber breaches. Intellectual property theft from DoD defense contractors alone has resulted in dollar losses valued in the billions. Just in December, news reports revealed hacks that reach deep into US nuclear laboratories, the Pentagon, Treasury, Commerce departments, and beyond. These news reports continue to bear witness that immediate, effective action is urgently required.
Clearly, the DoD must get even more serious about cybersecurity. But how does that translate into the new DFARS Interim Rule requirements, and what does that now means for your ability to maintain or gain a DoD contract?
If you are hesitant, it may not be as challenging as you might believe! The DoD needs good contractors, and want a successful outcome for everyone. The rollout has been designed therefore to improve the cybersecurity posture across the supply chain, while causing the least amount of disruption to those serving as contractors and subcontractors in the DIB. This article covers the essentials of the new DFARS Interim Rule as it affects your journey towards compliance.
First, determine whether DFARS applies to your organization. DFARS is a requirement for entities that process, transmit or store Controlled Unclassified Information (CUI.) The DoD has stated that the contract will state whether it falls under DFARS. CUI is a designation for information that is not publicly available and meets certain criteria. The DoD provides 19 categories of CUI such as nuclear, privacy, international agreements and critical infrastructure. Typical examples include intellectual property, design specifications, contracts, legal, and project related documents, such as timelines and time cards. Although there is the potential for varying sources of information to be aggregated to create CUI (which is the contractor’s responsibility to identify), the DoD will be the primary source for determining whether CUI protection levels are needed.
Next, the new DFARS Interim Rule implements the “National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology”. Although the methodology is new for most contractors, it can be viewed as a helpful stepping-stone to learning the requirements for compliance. Part of the mandate is that contractors must self-assess against NIST SP 800-171 requirements and enter results in the Supplier Performance Risk System “SPRS”1. Most contractors will self-assess and enter results from this “Basic” assessment SPRS. The DoD will conduct a small percentage of annual contract awards depending on the level of confidence required by the DoD for the particular contract. In which case, the DoD will assign personnel to conduct Medium or High reviews and to enter the results in SPRS.
The DFARS Interim Rule requires that going forward, contracting officers must confirm that an entity has entered an active SPRS Assessment prior to awarding a new or renewed contract.
The good news for getting started is that the Methodology currently does not stipulate a “passing” score. That is, entering a score in SPRS is sufficient to get started. The process will require a submitted “Plans of Action” (POA) that identifies compliance gaps, and commits to timelines for when these will be addressed. The submission of the POA provides a strong incentive for contractors to implement security controls – rather than leave them undone indefinitely.
The Interim Rule also strengthens the rollout of the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC is a DoD certification process that measures an entity’s implementation of cybersecurity processes and practices. There are five protection levels in CMMC, and a separate assessment process managed by the CMMC Accreditation Body. These results are also entered in SPRS. For DFARS purposes, CMMC Level 3 is designed to protect CUI. CMMC Level 3 contains 130 practices (“controls”). Of these, 110 are from NIST SP 800-171. As such, any contractor that works towards NIST SP 800-171 compliance is well on their way towards CMMC Level 3.
The 20 controls CMMC Level 3 adds to NIST SP 800-171 are primarily process based. For example, CMMC measures the extent to which policies are communicated, understood, and followed within the organization. The CMMC also provides a maturity model which defines common sense indicators for the level to which cybersecurity practices are conducted, and to which these are embedded within the culture of an organization. This is a commendable goal, as embedding cybersecurity within an organization has proven to be one of the most reliable ways to develop a strong defense against attacks.
Finally, you should know that NIST SP 800-171 controls are excerpted from the NIST SP 800-53 control catalog – the gold standard for DoD and Federal internal systems protection. BAI’s training has long been recognized as the standard bearer for the Risk Management Framework, which implements these NIST SP 800-53 controls. Given the reliance on the same controls, and with BAI’s established leadership as the “go to” training and consulting experts on the NIST SP 800-53 control set (and assessment!), you can be confident that BAI’s training will provide you with the knowledge and skills you need to set you on the path towards DFARS compliance.
True to our motto of “We ARE RMF!”, the “DFARS Compliance with CMMC/NIST SP 800-171” curriculum has been designed by RMF practitioners who can offer you the industry standard for getting through the process of control implementation and assessment. BAI is uniquely positioned to help DoD contractors and subcontractors navigate the complexities of DFARS, whether with CMMC or NIST 800-171, so that you can be confident of success on your journey towards compliance.