Reading Time: 4 minutes
Complying With DFARS Interim Rule, NIST 800-171 & CMMC May Save Your Company’s Future
What Is The DFARS Interim Rule?
The DFARS Interim Rule 2019-D041 is made up of three new DFARS Clauses which require all DoD prime contractors, subcontractors, and suppliers who handle CUI (Controlled Unclassified Information) in any way to implement the cybersecurity controls described in NIST SP 800-171. The Interim Rule also strengthens NIST SP 800-171's self-assessment requirement, easing the transition to CMMC certification. This Interim Rule went into effect on November 30, 2020.
● DFARS 252.204-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements.
● DFARS 252.204-7020 Clause: NIST SP 800-171 DoD Assessment Requirements.
● DFARS 252.204-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements.
DFARS Interim Rule
On September 29, 2020, the Department of Defense (DoD) published the DFARS (Defense Federal Acquisition Regulation Supplement) interim rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, with an effective date of November 30, 2020. These new clauses are an extension of the original DFARS 252.204-7012 clause that has been required in DoD contracts since 2018.
The interim rule implements the NIST SP 800-171 DoD Assessment Methodology and the CMMC (Cybersecurity Maturity Model Certification) framework. The interim rule requires contracting officers to take specific action prior to awarding contracts, giving task or delivery orders or extending an optional period of performance on existing contracts on or after November 30, 2020.
DFARS 252.204-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements
All DoD contractors in the Defense Industrial Base (DIB) must complete a self-assessment using the DoD’s NIST 800-171 Assessment Methodology and generate a points-based score. If the self-assessment score falls below 110, contractors are required to create a POAM (Plan of Action and Milestones) and indicate by what date the security gaps will be remediated and a score of 110 will be achieved as part of the SPRS (Supplier Performance Risk System). At the time of a DoD contract award containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.
DFARS 252.204-7020 Clause: NIST 800-171 DoD Assessment Requirements
Along with the 252.204-7012 and 7019 clauses, the 7020 clause is approved for use in all DoD contracts. This new clause requires that contractors provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level Assessment. The higher level Assessments are the Medium and High Assessments. The self-assessment conducted as part of the 7019 clause is called a Basic Assessment.
A Medium Assessment is conducted by DoD personnel and will include a review of your System Security Plan (SSP) and how each of the requirements is met and to identify any language that may not adequately address the security requirements.
A High Assessment is conducted by DoD personnel onsite at the contractor’s location and will leverage the full NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information) to determine if the implementation meets the requirements by reviewing evidence and/or demonstration such as recent scanning results, system inventories, baseline configurations and demonstration of multi-factor authentication and/or two-factor authentication.
Along with that, this rule also requires that contractors flow down their requirements from 7019 to their subcontractors and suppliers. Just as the DoD may choose not to award a contract due to noncompliance, you may not be able to use a subcontractor or supplier due to their noncompliance.
DFARS 252.204-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements
Companies willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many companies in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few companies who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.
Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.
This DFARS clause establishes CMMC into the federal regulatory framework. This requires that CMMC is to be included in all contracts, tasks or orders, and solicitations, with very few exceptions. The level of CMMC that is required will be determined by the DoD and added into the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and the requirements must be trickled down to your subcontractors and suppliers. The CMMC certification is required at the time of contract award.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, a division of Bluestreak | Bright AM™, and a regular editorial contributor of Heat Treat Today, a trade publication media brand providing technology, tips, and news for manufacturers with in-house heat treatment departments. The publication targets aerospace, automotive, medical, energy, and general manufacturing.
Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, a machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe directly at firstname.lastname@example.org.
Bluestreak™ is a powerful, fully integrated Quality Management System (QMS) and Manufacturing Execution System (MES), designed for the manufacturing environment and service-based manufacturing companies (metal-treating/powder-coating, plating, heat-treating, forging, and metal-finishing), businesses that receive customers’ parts, perform a process (service) on them and send those parts back to the customer). Companies need MES software tailored to specific functionality and workflow needs such as industry-specific specifications management, intuitive scheduling control for both staff and machinery maintenance, and the ability to manage work orders and track real-time data. If different work centers on the production floor aren’t “speaking” to each other via the MES, the data loses value and becomes disjointed or lost in disparate silos.
Bluestreak | Bright AM™ is an MES + QMS software solution specifically designed to manage and optimize the unique requirements of Additive Manufacturing’s production of parts and powder inventory usage.