DFARS Interim Rule FAQ: What You Need to Know
The DoD released an interim rule to "amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain." So, what does this mean for DoD contractors?
Effective 60 days after its publication, the new rule requires that anyone working with the DoD submit proof of compliance with NIST SP 800-171. This means you will have to provide evidence of your accordance with these regulations by showing that you have kept up with the cyber hygiene provisions you are attesting to in your assessments.
It's okay to have a lot of questions, and Bravo is here to help! Read on for some of the most common questions surrounding the new DFARS interim rule. If you're still unsure, contact us today!
Why is the DoD implementing the DFARS interim rule?
In the past, the DoD required little to no evidence of compliance from its contractors. This rule has been put into place to ensure the security of CUI and intellectual property of the Defense Industrial Base (DIB) to prevent the undermining of DoD and U.S. technological advantages.
The DoD wants to implement these provisions to provide an incentive to its contractors to ensure that its supply chain improves its cybersecurity and meets contractual guidelines.
What immediate steps need to be taken?
First and foremost, consider how long it’s been since you have last self-attested your business’s compliance with DFARS and NIST. Your basic assessments should show that your firm is consistently making strides to improve its cyber hygiene. If your Plan of Actions and Milestones (POA&Ms) don’t reflect that you are making said improvements, steps should be taken to convey your attempts at progress.
A rule of thumb is that you should have at least three self-assessments from the last three years against DFARS 252.204-7012. If there have been any significant changes to your environment, you should have done even more assessments to ensure your cybersecurity posture.
Does the DFARS interim rule cover previous self-attestations?
Technically speaking, these behaviors should have been taking place during previous assessments, and the DFARS interim rule is just asking that you provide evidence of doing so. It might be problematic if a firm attested to implementing proper procedures but never did.
What role do my Third-Party Providers (TPPs) have in my attestation?
You must attest that your Third-Party Providers such as Managed Service Providers (MSP) or Managed Security Service Providers (MSSP), who handle CUI, meet the same or higher security standards as you do.
Can a third-party, such as an MSP, submit my documentation for me?
No, you must submit the documentation yourself. A third-party provider can prepare the materials for you, but you must submit them yourself and you are responsible for the accuracy of the documents. However, since Medium and High Assessments are performed by the Government, they would automatically submit the results.
Do I need to submit documentation for previous self-attestations?
While it’s surprising that providing documentation hasn’t been required before this rule, you do not need to provide evidence of past attestations. However, moving forward, all DoD contracts will require the submission of a Basic Assessment, at least. Reports must be in the Supplier Performance Risk System (SPRS).
What and when do I submit?
Once your assessment is completed – either basic, medium, or high – using the standard scoring methodology, documents will need to be submitted in the Supplier Performance Risk System (SPRS). The DoD will keep these on file to verify that you meet the requirements specified in the solicitation prior to contract award.
Will the DFARS interim rule be integrated with CMMC?
Since the DFARS interim rule builds upon NIST SP 800-171 and DoD Assessment Methodology that mandates the CMMC framework, it will affect the CMMC roadmap and compliance. CMMC is designed to provide an added level of assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What are the consequences of potential errors in an assessment?
Any faults or falsities observed in a self-attestation could be cause for the implementation of the False Claims Act (FCA), which could lead to civil or even criminal liability for any company that knowingly reports false information on their assessment.
What is the difference between Basic / Medium / High Assessments mean?
The three assessment levels (Basic, Medium, and High) are based on the depth of the assessment performed and highlight the confidence level in the score as a result of the assessment. A Basic Assessment is self-assessment performed by the contractor. A Medium or High Assessment is performed by the Government. The required assessment level is dictated by the contract.
What is the difference between DFARS 252.204-7012 and the new DFARS interim rule 252.204-7021?
|Universally applied||Requires demonstration of maturity based on the contract's risk level|
|Self-attesting and self-submitting documentation||Third-party assessments and self-submission|
|Based on policing and enforcement||Based on the winning of contracts|
|Tolerant of not having certain controls in place as long as they are identified and plans are established to rectify them||Intolerant of not having certain controls in place|
The time to take action is now! The DoD has made it very clear that they're serious about their supply chain's compliance requirements and cybersecurity measures. If you're concerned about your company's standing in regards to the new DFARS interim rule, Bravo can help! Get in touch with us today to get started before it's too late.
Speak with an expert today!