DFARS Interim Rule & Higher Education

Table of Contents

Introduction
What is the purpose of the DFARS Interim Rule?
Who is required to comply with the DFARS Interim Rule?
Are Higher Education Institutions exempt from the DFARS Interim Rule?
What is included in the DFARS Interim Rule?
Are there penalties associated with the DFARS Interim Rule?
How does the NIST SP 800-171 Assessment Methodology work?
What steps can I take to comply with the DFARS Interim Rule?
Can SaltyCloud help with the DFARS Interim Rule?

Introduction

The Department of Defense (DoD) released the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule on September 29, 2020, and went into effect on November 30, 2020.

The DFARS Interim Rule introduces several new contract clauses (252.204–7019, 252.204–7020, and 252.204–7021) to enable the five-year phased rollout of the Cybersecurity Maturity Model Certification (CMMC) on October 1, 2025.

Specifically, the DFARS Interim Rule requires contractors to have a System Security Plan (SSP), quantify their compliance with the NIST SP 800-171, self-report that status on the Supplier Performance Risk System (SPRS), and a timeline for full compliance, prior to a new contract award or exercise of a contract option.

Higher Education Institutions that conduct DoD sponsored research are required to comply with the DFARS Interim Rule.

What is the purpose of the DFARS Interim Rule?

The purpose of the DFARS Interim Rule was to kickstart the five-year, phased rollout of the Cybersecurity Maturity Model Certification (CMMC). Prior to the Interim Rule, DFARS 252.204-7012 required any contractor with systems that stored or transmitted Controlled Unclassified Information (CUI) to agree to be compliant with NIST SP 800-171. In the interim period (November 30, 2020–September 30, 2025), contractors will need to complete a NIST SP 800-171 self-assessment using the NIST SP 800-171 Assessment Methodology and report the score to the SPRS.

In the future, all contractors will need to be Level 1 certified at the least for Federal Contract Information (FCI) which entails 17 practices. Those contractors that receive, create, or transmit CUI will need to be Level 3 certified which entails 130 practices and related policies. Contractors will also need to demonstrate proof by documenting multiple forms of evidence for each practice.

Who is required to comply with the DFARS Interim Rule?

Any prime contractor or subcontractor for the DoD who handles Controlled Unclassified Information (CUI) will need to comply with the new DFARS Interim Rule. This includes research labs, and their subsequent systems, in Higher Education Institutions that conduct DoD research.

Are Higher Education Institutions exempt from the DFARS Interim Rule?

No, Higher Education Institutions are not exempt from the DFARS Interim Rule or the CMMC. During the CMMC Virtual Summit hosted on September 15, 2020, Katie Arrington, CISO at the Office of Acquisition and Sustainment, indicated that fundamental research conducted at Higher Education Institutions as part of DoD contracts would fall under CMMC Level 1. EDUCAUSE and several other organizations have urged the DoD to consider excluding Higher Education Institutions from the DFARS Interim Rule and the CMMC, however, the DoD has not replied to the comments.

What is included in the DFARS Interim Rule?

The DFARS Interim Rule introduces three new clauses (7019, 7020, 7021).

  • DFARS 252.204–7019, Notice of NIST SP 800–171 DoD Assessment Requirements
      • This clause provides notice to contractors of their requirement to maintain a record of their NIST SP 800-171 compliance within the SPRS. As per the NIST SP 800-171 Assessment Methodology required by DFARS 252.204–7012, this means that contractors will need to have a Basic, Medium, or High assessment completed every three years and maintain a record of it on the SPRS. Contractors will start with a Basic assessment, which is a self-assessment. However, depending on the criticality of the program or the sensitivity of the information being handled by the contractor, contractors may be subject to a Medium or High assessment conducted by the Defense Contract Management Agency (DCMA).
  • DFARS clause 252.204–7020, NIST SP 800–171 DoD Assessment Requirements
      • This clause requires a contractor to provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a Medium or High assessment. Furthermore, the clause also requires the contractor to ensure that subcontractors also have the results of a current NIST SP 800-171 assessment posted in SPRS prior to awarding a subcontract or other contractual instruments. Finally, the clause also states that for Medium and High assessments, contractors have a 14 day period to provide additional information to demonstrate that they meet any security requirements not observed by the assessment team or to rebut the findings that may be of question.
  • DFARS clause 252.204–7021, Cybersecurity Maturity Model Certification Requirements
    • This clause codifies the CMMC into the federal regulatory framework, aligning with the five-year phased rollout of CMMC. The clause states that all contracts, solicitations, task orders, or delivery orders will include CMMC requirements by October 1, 2025, except for those that are solely for the acquisition of Commercially available off-the-shelf (COTS) items. Until then, the inclusion of CMMC requirements must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S).

Are there penalties associated with the DFARS Interim Rule?

Yes, there are several possible penalties associated with the DFARS Interim Rule.

  • Contractors will not be awarded contracts, nor can they award subcontracts, unless they and their relevant subcontractors have demonstrated compliance with the NIST SP 800-171 security controls on the SPRS.
  • As per the False Claims Act, contractors could face potential liabilities for a self-assessment that is improperly conducted or reported. And although not directly stated anywhere, contractors could possibly be held responsible for self-assessments submitted by their subcontractors.
  • Less favorable assessment scores may lead to limited competition, if and how they will be used in best value determinations for contract awards.

How does the NIST SP 800-171 Assessment Methodology work?

The NIST SP 800-171 Assessment Methodology creates a definitive scoring system by which the DoD can strategically assess a contractor’s implementation of NIST SP 800-171 and thus gain an understanding of their security posture. The highest score you can get is a 110, which reflects full implementation of all 110 controls in NIST SP 800-171. However, if a specific control is not implemented, the score is reduced and in some cases by more than just a single point. This means a negative score is possible. There are 42 controls worth 5 points, 14 controls worth 3 points, and 54 controls worth 1 point. Contractor’s that submit a score lower than 110 are also required to submit the exact date they expect to receive the perfect score.

Another facet of the NIST SP 800-171 Assessment Methodology is the three distinct levels of assessment that result in varying degrees of confidence.

  • Basic Assessment
    • This assessment is a self-assessment that results in a “low” level of confidence.
  • Medium Assessment
    • This assessment includes a review of your System Security Plan (SSP) by the DCMA and results in a “medium” level of confidence.
  • High Assessment
    • This assessment includes an on-site or virtual assessment by the DCMA and results in a “high” level of confidence.

What steps can I take to comply with the DFARS Interim Rule?

  1. Evaluate your organization and determine whether the whole organization will need to meet NIST SP 800-171 compliance. For Higher Education Institutions with individual DoD sponsored research labs, this is usually not the case. This means you can adopt what is called an “enclave approach”. By leveraging this approach, Higher Education Institutions only need to worry about securing the specific research labs that handle Controlled Unclassified Information (CUI), or “CUI enclaves”. When in doubt, it helps to follow the data—determine where CUI data is store and map out how it moves throughout the organization or between the organization and subcontractors.
  2. For each CUI enclave, you’ll need to create a specific System Security Plan (SSP) that covers the specific systems, people, and locations that involve the specific CUI. If you need help scoping your CUI enclave, the CMMC Accreditation Body (CMMC-AB) provides a marketplace of practitioners that can help you.
  3. Once your CUI enclaves are defined and SSPs created, we recommend conducting a pre-assessment. The pre-assessment is for internal use only and will help you identify compliance gaps in your CUI enclave. You’ll be able to understand what controls are missing, make strategic decisions about how to implement those missing controls, and begin working on a POA&M if necessary. You can also leverage the pre-assessment to document evidence of compliance and other artifacts. These are important in case of a DMCA audit or to prepare for other third-party assessments including the CMMC. You can leverage a GRC Assessment Platform like Isora GRC to help you streamline your assessment workflow and collect evidence.
  4. You will need to submit your initial score into the SPRS in order to be awarded contracts under the Interim Rule. As you implement new controls you can update your score on the SPRS to reflect your current progress. As of now you’ll need to provide the following in the SPRS:
    • Date assessment was completed
    • Assessment score (< or = 110)
    • Scope of assessment (e.g., Enterprise, Enclave, or Contract)
      • Contracts – Contract specific SSP review
      • Enterprise – Entire company’s network under the CAGEs listed
      • Enclave – Standalone under Enterprise CAGE as business unit (test enclave, hosted resources, etc.)
    • POA&M completion date (the specific calendar date at which you predict to attain a score of 110)
    • Included CAGEs (CAGEs you are reporting that are covered by the SSP)
  5. After you’ve submitted your basic assessment, the contract may require a medium or high assessment. An assessor from the DCMA will be assigned to your organization to complete either assessment.
  6. Finally, although not explicitly required just yet, this five-year interim period should be used to prepare for the CMMC. If you treat CMMC as a maturity model, meeting compliance with NIST SP 800-171 roughly aligns with CMMC Level 3. If you’re using a GRC Assessment Platform like Isora GRC, you can work off of your initial NIST SP 800-171 assessments to help you implement the additional controls required for a higher-level CMMC or track the progress to full compliance at the level your organization intends to get certified.

Can SaltyCloud help with the DFARS Interim Rule?

Yes, SaltyCloud is a CMMC Registered Practitioner Organization (RPO). We provide Isora GRC, a GRC Assessment Platform hosted on GovCloud that provides an end-to-end, automated workflow to help you manage your DFARS Interim Rule compliance and CMMC pre-assessments.

Learn more about Isora GRC or email us at info@saltycloud.com.

Recommended