January 31, 2021
DFARS Interim Rule & Higher Education
Table of Contents
Introduction
What is the purpose of the DFARS Interim Rule?
Who is required to comply with the DFARS Interim Rule?
Are Higher Education Institutions exempt from the DFARS Interim Rule?
What is included in the DFARS Interim Rule?
Are there penalties associated with the DFARS Interim Rule?
How does the NIST SP 800-171 Assessment Methodology work?
What steps can I take to comply with the DFARS Interim Rule?
Can SaltyCloud help with the DFARS Interim Rule?
Introduction
The Department of Defense (DoD) released the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule on September 29, 2020, and went into effect on November 30, 2020.
The DFARS Interim Rule introduces several new contract clauses (252.204–7019, 252.204–7020, and 252.204–7021) to enable the five-year phased rollout of the Cybersecurity Maturity Model Certification (CMMC) on October 1, 2025.
Specifically, the DFARS Interim Rule requires contractors to have a System Security Plan (SSP), quantify their compliance with the NIST SP 800-171, self-report that status on the Supplier Performance Risk System (SPRS), and a timeline for full compliance, prior to a new contract award or exercise of a contract option.
Higher Education Institutions that conduct DoD sponsored research are required to comply with the DFARS Interim Rule.
What is the purpose of the DFARS Interim Rule?
The purpose of the DFARS Interim Rule was to kickstart the five-year, phased rollout of the Cybersecurity Maturity Model Certification (CMMC). Prior to the Interim Rule, DFARS 252.204-7012 required any contractor with systems that stored or transmitted Controlled Unclassified Information (CUI) to agree to be compliant with NIST SP 800-171. In the interim period (November 30, 2020–September 30, 2025), contractors will need to complete a NIST SP 800-171 self-assessment using the NIST SP 800-171 Assessment Methodology and report the score to the SPRS.
In the future, all contractors will need to be Level 1 certified at the least for Federal Contract Information (FCI) which entails 17 practices. Those contractors that receive, create, or transmit CUI will need to be Level 3 certified which entails 130 practices and related policies. Contractors will also need to demonstrate proof by documenting multiple forms of evidence for each practice.
Who is required to comply with the DFARS Interim Rule?
Any prime contractor or subcontractor for the DoD who handles Controlled Unclassified Information (CUI) will need to comply with the new DFARS Interim Rule. This includes research labs, and their subsequent systems, in Higher Education Institutions that conduct DoD research.
Are Higher Education Institutions exempt from the DFARS Interim Rule?
No, Higher Education Institutions are not exempt from the DFARS Interim Rule or the CMMC. During the CMMC Virtual Summit hosted on September 15, 2020, Katie Arrington, CISO at the Office of Acquisition and Sustainment, indicated that fundamental research conducted at Higher Education Institutions as part of DoD contracts would fall under CMMC Level 1. EDUCAUSE and several other organizations have urged the DoD to consider excluding Higher Education Institutions from the DFARS Interim Rule and the CMMC, however, the DoD has not replied to the comments.
What is included in the DFARS Interim Rule?
The DFARS Interim Rule introduces three new clauses (7019, 7020, 7021).
- DFARS 252.204–7019, Notice of NIST SP 800–171 DoD Assessment Requirements
-
-
- This clause provides notice to contractors of their requirement to maintain a record of their NIST SP 800-171 compliance within the SPRS. As per the NIST SP 800-171 Assessment Methodology required by DFARS 252.204–7012, this means that contractors will need to have a Basic, Medium, or High assessment completed every three years and maintain a record of it on the SPRS. Contractors will start with a Basic assessment, which is a self-assessment. However, depending on the criticality of the program or the sensitivity of the information being handled by the contractor, contractors may be subject to a Medium or High assessment conducted by the Defense Contract Management Agency (DCMA).
-
- DFARS clause 252.204–7020, NIST SP 800–171 DoD Assessment Requirements
-
-
- This clause requires a contractor to provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a Medium or High assessment. Furthermore, the clause also requires the contractor to ensure that subcontractors also have the results of a current NIST SP 800-171 assessment posted in SPRS prior to awarding a subcontract or other contractual instruments. Finally, the clause also states that for Medium and High assessments, contractors have a 14 day period to provide additional information to demonstrate that they meet any security requirements not observed by the assessment team or to rebut the findings that may be of question.
-
- DFARS clause 252.204–7021, Cybersecurity Maturity Model Certification Requirements
-
- This clause codifies the CMMC into the federal regulatory framework, aligning with the five-year phased rollout of CMMC. The clause states that all contracts, solicitations, task orders, or delivery orders will include CMMC requirements by October 1, 2025, except for those that are solely for the acquisition of Commercially available off-the-shelf (COTS) items. Until then, the inclusion of CMMC requirements must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S).
Are there penalties associated with the DFARS Interim Rule?
Yes, there are several possible penalties associated with the DFARS Interim Rule.
- Contractors will not be awarded contracts, nor can they award subcontracts, unless they and their relevant subcontractors have demonstrated compliance with the NIST SP 800-171 security controls on the SPRS.
- As per the False Claims Act, contractors could face potential liabilities for a self-assessment that is improperly conducted or reported. And although not directly stated anywhere, contractors could possibly be held responsible for self-assessments submitted by their subcontractors.
- Less favorable assessment scores may lead to limited competition, if and how they will be used in best value determinations for contract awards.
How does the NIST SP 800-171 Assessment Methodology work?
The NIST SP 800-171 Assessment Methodology creates a definitive scoring system by which the DoD can strategically assess a contractor’s implementation of NIST SP 800-171 and thus gain an understanding of their security posture. The highest score you can get is a 110, which reflects full implementation of all 110 controls in NIST SP 800-171. However, if a specific control is not implemented, the score is reduced and in some cases by more than just a single point. This means a negative score is possible. There are 42 controls worth 5 points, 14 controls worth 3 points, and 54 controls worth 1 point. Contractor’s that submit a score lower than 110 are also required to submit the exact date they expect to receive the perfect score.
Another facet of the NIST SP 800-171 Assessment Methodology is the three distinct levels of assessment that result in varying degrees of confidence.
- Basic Assessment
- This assessment is a self-assessment that results in a “low” level of confidence.
- Medium Assessment
- This assessment includes a review of your System Security Plan (SSP) by the DCMA and results in a “medium” level of confidence.
- High Assessment
- This assessment includes an on-site or virtual assessment by the DCMA and results in a “high” level of confidence.
What steps can I take to comply with the DFARS Interim Rule?
- Evaluate your organization and determine whether the whole organization will need to meet NIST SP 800-171 compliance. For Higher Education Institutions with individual DoD sponsored research labs, this is usually not the case. This means you can adopt what is called an “enclave approach”. By leveraging this approach, Higher Education Institutions only need to worry about securing the specific research labs that handle Controlled Unclassified Information (CUI), or “CUI enclaves”. When in doubt, it helps to follow the data—determine where CUI data is store and map out how it moves throughout the organization or between the organization and subcontractors.
- For each CUI enclave, you’ll need to create a specific System Security Plan (SSP) that covers the specific systems, people, and locations that involve the specific CUI. If you need help scoping your CUI enclave, the CMMC Accreditation Body (CMMC-AB) provides a marketplace of practitioners that can help you.
- Once your CUI enclaves are defined and SSPs created, we recommend conducting a pre-assessment. The pre-assessment is for internal use only and will help you identify compliance gaps in your CUI enclave. You’ll be able to understand what controls are missing, make strategic decisions about how to implement those missing controls, and begin working on a POA&M if necessary. You can also leverage the pre-assessment to document evidence of compliance and other artifacts. These are important in case of a DMCA audit or to prepare for other third-party assessments including the CMMC. You can leverage a GRC Assessment Platform like Isora GRC to help you streamline your assessment workflow and collect evidence.
- You will need to submit your initial score into the SPRS in order to be awarded contracts under the Interim Rule. As you implement new controls you can update your score on the SPRS to reflect your current progress. As of now you’ll need to provide the following in the SPRS:
- Date assessment was completed
- Assessment score (< or = 110)
- Scope of assessment (e.g., Enterprise, Enclave, or Contract)
- Contracts – Contract specific SSP review
- Enterprise – Entire company’s network under the CAGEs listed
- Enclave – Standalone under Enterprise CAGE as business unit (test enclave, hosted resources, etc.)
- POA&M completion date (the specific calendar date at which you predict to attain a score of 110)
- Included CAGEs (CAGEs you are reporting that are covered by the SSP)
- After you’ve submitted your basic assessment, the contract may require a medium or high assessment. An assessor from the DCMA will be assigned to your organization to complete either assessment.
- Finally, although not explicitly required just yet, this five-year interim period should be used to prepare for the CMMC. If you treat CMMC as a maturity model, meeting compliance with NIST SP 800-171 roughly aligns with CMMC Level 3. If you’re using a GRC Assessment Platform like Isora GRC, you can work off of your initial NIST SP 800-171 assessments to help you implement the additional controls required for a higher-level CMMC or track the progress to full compliance at the level your organization intends to get certified.
Can SaltyCloud help with the DFARS Interim Rule?
Yes, SaltyCloud is a CMMC Registered Practitioner Organization (RPO). We provide Isora GRC, a GRC Assessment Platform hosted on GovCloud that provides an end-to-end, automated workflow to help you manage your DFARS Interim Rule compliance and CMMC pre-assessments.
Learn more about Isora GRC or email us at info@saltycloud.com.
Recommended
-
The 5-Step Guide to Prepare for the CMMC
Getting CMMC certified takes time and preparation. This guide covers the five practical steps to go from zero to certified
-
NIST 800-171 Basic Assessment – Complete Guide
This comprehensive guide covers everything you need to know about the NIST 800-171 Basic Assessment and the steps you can take to build a compliance process.
-
Scoping FCI & CUI for NIST 800-171 & CMMC – Complete Guide
Scoping FCI & CUI is a necessary step to make NIST 800-171 & CMMC compliance more feasible and cost-effective. Read the Complete Scoping Guide.
-
Everything about the CMMC – Complete CMMC Guide
This complete CMMC guide will review everything contractors need to know about CMMC, including its structure, requirements, and certification process.
-
University of California, Berkeley
Meeting system-wide cybersecurity compliance at UC Berkeley
-
Virginia Tech
Maturing the campus security posture with CIS at Virginia Tech
-
EDUCAUSE CPPC 2022 Highlights
SaltyCloud attended the 2022 EDUCAUSE Cybersecurity and Privacy Professionals Conference (CPPC and did a lot. These are our highlights
-
Everything about TX-RAMP
TX-RAMP is a new vendor risk management regulation for Texas state agencies and public higher education institutions. Here’s everything agencies need to know
-
CMMC 2.0 is Here: 6 Key Updates
The Department of Defense has released CMMC 2.0, introducing several new updates. Here are the six key takeaways contractors need to know
-
Establishing a VRM Program with the HECVAT
Learn how to establish a successful vendor risk management (VRM) program at a higher education institution using the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) with our practical guide
-
Understanding the Campus Cybersecurity Program by the Department of Education
The Department of Education Federal Student Aid Office (FSA) has announced its Campus Cybersecurity Program for Title IV Higher Education Insitutions
-
SaltyCloud streamlines CMMC compliance with their GRC Assessment Platform
SaltyCloud announced new functionality to help Department of Defense (DoD) contractors manage NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) pre-assessments
-
Certified Third-Party Assessment Organizations
[vc_section el_class="top-spacing"][vc_row gap="30" row_content_width="grid" css=".vc_custom_1612984799709{padding-bottom: 3rem !important;}"][vc_column width="1/2"][vc_column_text] Solution Brief The CMMC Assessment Platform for C3PAOs [/vc_column_text][vc_column_text] As a CMMC Third Party Assessment Organization (C3PAO), your business is evolving to offer services to tens, hundreds, if not thousands of Defense Industrial Base (DIB) companies seeking advisory or certification with the CMMC. Read our solution brief to learn how you can help your clients prepare for their CMMC on a single, end-to-end assessment platform. “Isora GRC allowed us to quickly manage and prove NIST 800-171 (Interim Rule) compliance across our CUI enclaves. It also clearly identified our
-
C3PAOs & RPOs
Learn how Isora GRC helps C3PAOs & RPOs expand their CMMC assessment services to serve the DIB
-
Defense Contractors
Learn how Isora GRC helps SBIR/STTR companies, research universities, large primes, and everyone in between, prepare for the CMMC
-
DFARS Interim Rule & Higher Education
The DFARS Interim Rule came into effect on September 29, 2020, and it affects Higher Education Institutions that conduct DoD-sponsored research
-
GRC 20/20 Analyst Report
Read the GRC 20/20 Analyst Report to discover how Isora GRC enables an end-to-end assessment management strategy
-
GLBA Definitive Step-by-Step Guidebook
Learn everything you need to know to approach your GLBA audit with confidence using our GLBA Definitive Step-by-Step Guidebook
-
Everything about the GLBA in Higher Education
Learn everything you need to know about the GLBA in Higher Education with our comprehensive blog post
-
The CMMC Accreditation Board (CMMC-AB) Approves SaltyCloud as a Registered Provider Organization (RPO)
The CMMC-AB recently approved SaltyCloud as a Registered Provider Organization (RPO)
-
Conducting the GLBA Pre-Audit Assessment
Conducting a GLBA Pre-Audit Assessment will serve as evidence for your auditors and a guide for your institution
-
Conducting IT Risk Assessments Quick Guide
IT Risk Assessments are a critical component of any mature security program. Learn how to conduct your own with this quick guide.
-
Higher Education Regulations Quick Guide
Regulations can help direct our efforts to where work might need to be done, but risk assessments give us advance notice of exactly where those gaps might be. Using a variety of applicable regulatory frameworks, anyone can shore up their compliance through the use of questionnaire-based risk assessments.
-
Committed to higher education.
SaltyCloud launches its second free-to-edu security solution to the higher ed infosec community, Isora for Vendor Risk, at the 2019 EDUCAUSE Security Professionals Conference.
-
HIPAA Compliance Guide
For anyone in the medical field, HIPAA sets the standards for the use and protection of medical information and impacts every organization across the healthcare ecosystem, whether interacting with patients or not. As if the threat (and reality) of breaches wasn’t enough, the regulators behind HIPAA mean business when it comes to compliance.
-
NYDFS: Achieving the New Risk Assessment Requirement
Executing a risk assessment and protecting sensitive consumer information under the New York State Department of Financial Services (NYDFS) cybersecurity regulations
-
IT Risk Assessments: Prioritizing Risks
As you start to focus on the issues discovered during a cybersecurity risk assessment, figuring out how to address them can prove difficult. However, there are a few strategies that can help
-
IT Risk Assessments: Spreadsheets vs. Workflow Software
Using spreadsheets to conduct a risk assessment can be a powerful tool, but they have their limitations.
-
In-House vs. Outsourced IT Risk Assessments
In-house and outsourced IT risk assessments both have their advantages and disadvantages. Depending on your institution’s needs, it is important to explore different arrangements
-
How to Get Budget for an IT Risk Assessment
Justifying even a modest, incremental budget for a security program can be challenging. A few checklist key tactics can help you make a difference when convincing your key stakeholders
-
The Top 5 Problems Security Teams Face During Cybersecurity Risk Assessments
A security risk assessment is a daunting task for any security team. This article will uncover the five biggest problems that they face
-
[External] Fall 2018 Hot AWS EdStart Startups: Masters Avenue, Saasyan, Salty Cloud, and SmartGames
The AWS Government, Education, & Nonprofits Blog featured SaltyCloud for being an AWS EdStart hottest new member.
-
SaltyCloud Security Startup Signs Up 500th Campus
SaltyCloud announces that it has signed up 500 campuses to its Dorkbot service
-
SaltyCloud Licenses Phishing Simulator from Georgia Tech
SaltyCloud announces that it has licensed Phishslap, Georgia Tech's phishing software
-
SaltyCloud Selected For Amazon’s AWS EdStart Accelerator Program
AWS Edstart Accelerator Program partners with leading edtech company SaltyCloud to build and deliver innovative cybersecurity solutions to higher ed.
-
SaltyCloud Announces Write API for STACHE
Today, Salty Cloud, PBC, a SaaS infosec company specializing in providing scalable security solutions to EDU and government sectors, announced the migration of STACHE to Amazon Web Services (AWS).
-
SaltyCloud Announces Signup of 250th Campus for Dorkbot Service
Salty Cloud, PBC, a SaaS infosec company specializing in providing scalable security solutions to EDU and government sectors, announced today its 250th EDU campus deployment for the Dorkbot service. Dorkbot is a hosted and automated web application vulnerability scanner that assesses and evaluates potential vulnerabilities on high-risk webpages.
-
SaltyCloud Selected to Participate in EDUCAUSE 2017
Today, Salty Cloud, PBC, a SaaS infosec company specializing in providing scalable security solutions to EDU and government sectors, has been invited to participate in the “Start-Up Alley” exhibit and to present during the “Under the Ed Tech Radar” pitch competition at the 2017 EDUCAUSE Annual Conference occurring Nov 1-3 in Philadelphia, PA.
-
Saltycloud Announces the Migration of STACHE to Cloud
Today, Salty Cloud, PBC, a SaaS infosec company specializing in providing scalable security solutions to EDU and government sectors, announced the migration of STACHE to Amazon Web Services (AWS).
-
SaltyCloud In-Licences Cybersecurity IP from The University of Texas at Austin
Today, Salty Cloud, PBC, a SaaS infosec company specializing in providing scalable security solutions to EDU and government sectors, announced that they have acquired exclusive, worldwide rights to multiple infosec applications including: ISORA, STACHE, DORKBOT, SENF and PANOPTICON from the University of Texas at Austin.