Bluestreak™ Reading Time: 4 minutes
DFARS Interim Rule
The DoD published the DFARS (Defense Federal Acquisition Regulation Supplement) interim rule 2019-D041 on September 29, 2020, Assessing Contractor Implementation of Cybersecurity Requirements, with an effective date of November 30, 2020. These new clauses are an extension of the original DFARS 252.204-7012 clause that has been required in DoD contracts since 2018.
The interim rule implements the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework. The interim rule requires contracting officers to take specific action prior to awarding contracts, tasks, and delivery orders or exercising an option period of extending the period of performance on existing contracts, on or after November 30, 2020.
DFARS 252.204-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements
All DoD contractors in the Defense Industrial Base (DIB) must complete a self-assessment using the DoD’s NIST 800-171 Assessment Methodology and generate a points-based score. If the self-assessment score falls below 110, contractors are required to create a POAM (Plan of Action with Milestones) and indicate by which date the security gaps will be remediated and a score of 110 will be achieved as part of the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.
DFARS 252.204-7020 Clause: NIST 800-171 DoD Assessment Requirements
Along with the 252.204-7012 and 7019 clauses, the 7020 clause is approved for use in all DoD contracts. This new clause requires that contractors provide the Government with access to its facilities, systems, and personnel when it’s necessary for the DoD to conduct or renew a higher-level assessment. The higher level assessments are the Medium and High Assessments. The self-assessment conducted as part of the 7019 clause is called a Basic Assessment.
A Medium Assessment is conducted by DoD personnel and will include a review of your System Security Plan (SSP) and how each of the requirements are met to identify any language that may not adequately address the security requirements.
A High Assessment is conducted by DoD personnel onsite at the contractor’s location and will leverage the full NIST 800-171A (Assessment methodology) to determine if the implementation meets the requirements by reviewing evidence and/or demonstration such as recent scanning results, system inventories, baseline configurations and demonstration of multi-factor authentication and/or two-factor authentication.
Along with that, this rule also requires that contractors flow down their requirements from 7019 to their subcontractors and suppliers. Just as the DoD may choose not to award a contract due to noncompliance, you may not be able to use a subcontractor or supplier due to their noncompliance.
DFARS 252.204-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements
This DFARS clause establishes CMMC into the federal regulatory framework. This requires that CMMC is to be included in all contracts, tasks or orders, and solicitations, with very few exceptions. The level of CMMC that is required will be determined by the DoD and added to the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and the requirements must be flowed down to your subcontractors and suppliers. The CMMC certification is required at the time of contract award.
Can you Afford Compliance? Funding & Cost Sharing May Be Available For Heat Treaters
With the huge push for stricter cybersecurity practices by the government and many businesses, cost-sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects. About the Author
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, a machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe directly at firstname.lastname@example.org.