TL;DR:
The DoD’s DFARS Interim Rule introduces new contract clauses to facilitate the phased rollout of CMMC and requires contractors (including higher education institutions conducing DoD-sponsored research) to have an SSP, report compliance with NIST SP 800-171 on SPRS, and provide a timeline for full compliance prior to contract award.
The Department of Defense (DoD) released the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule on September 29, 2020, and went into effect on November 30, 2020.
The DFARS Interim Rule introduces several new contract clauses (252.204–7019, 252.204–7020, and 252.204–7021) to enable the five-year phased rollout of the Cybersecurity Maturity Model Certification (CMMC) on October 1, 2025.
Specifically, the DFARS Interim Rule requires contractors to have a System Security Plan (SSP), quantify their compliance with the NIST SP 800-171, self-report that status on the Supplier Performance Risk System (SPRS), and a timeline for full compliance, prior to a new contract award or exercise of a contract option.
Higher Education Institutions that conduct DoD sponsored research are required to comply with the DFARS Interim Rule.
TL;DR:
The DFARS Interim Rule initiated the phased rollout of CMMC, requiring contractors to complete a NIST SP 800-171 self-assessment using the Assessment Methodology and report the score to SPRS until September 30, 2025, and eventually be Level 1 certified for FCI with 17 practices or Level 3 certified for CUI with 130 practices and related policies, as well as provide proof through multiple forms of evidence for each practice.
The purpose of the DFARS Interim Rule was to kickstart the five-year, phased rollout of the Cybersecurity Maturity Model Certification (CMMC). Prior to the Interim Rule, DFARS 252.204-7012 required any contractor with systems that stored or transmitted Controlled Unclassified Information (CUI) to agree to be compliant with NIST SP 800-171. In the interim period (November 30, 2020–September 30, 2025), contractors will need to complete a NIST SP 800-171 self-assessment using the NIST SP 800-171 Assessment Methodology and report the score to the SPRS.
In the future, all contractors will need to be Level 1 certified at the least for Federal Contract Information (FCI) which entails 17 practices. Those contractors that receive, create, or transmit CUI will need to be Level 3 certified which entails 130 practices and related policies. Contractors will also need to demonstrate proof by documenting multiple forms of evidence for each practice.
Any prime contractor or subcontractor for the DoD who handles Controlled Unclassified Information (CUI) will need to comply with the new DFARS Interim Rule. This includes research labs, and their subsequent systems, in Higher Education Institutions that conduct DoD research.
TL;DR:
Higher Education Institutions are not exempt from the DFARS Interim Rule or the CMMC.
No, Higher Education Institutions are not exempt from the DFARS Interim Rule or the CMMC. During the CMMC Virtual Summit hosted on September 15, 2020, Katie Arrington, CISO at the Office of Acquisition and Sustainment, indicated that fundamental research conducted at Higher Education Institutions as part of DoD contracts would fall under CMMC Level 1. EDUCAUSE and several other organizations have urged the DoD to consider excluding Higher Education Institutions from the DFARS Interim Rule and the CMMC, however, the DoD has not replied to the comments.
TL;DR:
The DFARS Interim Rule includes three new clauses: Notice of SP 800-171 DoD Assessment Requirements, NIST SP 800-171 DoD Assessment Requirements, and Cybersecurity Maturity Model Certification Requirements.
The DFARS Interim Rule introduces three new clauses (7019, 7020, 7021).
TL;DR:
The penalties associated with the DFARS Interim Rule include the inability to receive contracts or award subcontracts, potential liabilities under the False Claims Act, and limited competition for less favorable assessment scores.
Yes, there are several possible penalties associated with the DFARS Interim Rule.
TL;DR:
The NIST SP 800-171 Assessment Methodology assigns a score based on the contractor’s implementation of 110 controls, and includes three levels: Basic, Medium, and High.
The NIST SP 800-171 Assessment Methodology creates a definitive scoring system by which the DoD can strategically assess a contractor’s implementation of NIST SP 800-171 and thus gain an understanding of their security posture. The highest score you can get is a 110, which reflects full implementation of all 110 controls in NIST SP 800-171. However, if a specific control is not implemented, the score is reduced and in some cases by more than just a single point. This means a negative score is possible. There are 42 controls worth 5 points, 14 controls worth 3 points, and 54 controls worth 1 point. Contractor’s that submit a score lower than 110 are also required to submit the exact date they expect to receive the perfect score.
Another facet of the NIST SP 800-171 Assessment Methodology is the three distinct levels of assessment that result in varying degrees of confidence.
TL;DR:
To determine whether the entire organization needs to meet NIST SP 800-171 compliance, Higher Education Institutions with individual DoD sponsored research labs should adopt an “enclave approach” and only secure the specific research labs that handle CUI data, creating a specific SSP for each CUI enclave, conducting a pre-assessment, documenting evidence of compliance and other artifacts, and submitting the initial score into the SPRS to be awarded contracts under the Interim Rule, with the possibility of requiring a medium or high assessment afterward, while also using the five-year interim period to prepare for the CMMC and track progress to full compliance using a GRC Assessment Platform.
TL;DR:
Isora GRC from SaltyCloud is the powerfully simple CMMC solution making regulatory compliance easier while helping organizations improve their cyber resilience.
The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in May 2023.
Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.
Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.
Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.
Learn MoreLearn how NSPM-33 impacts research institutions and explore compliance strategies, including cybersecurity, export controls, and disclosure requirements.
This Complete Guide explores the basics and infosec compliance checklist for the GLBA Safeguards Rule in higher education.
All you need to know about the CMMC, its framework, compliance requirements, and practical tips for businesses and defense contractors.