Understanding the DFARS Cybersecurity Interim Rule

The DFARS Interim Rule for cybersecurity went into effect on November 30, 2020. Soon, it will become final. So what does this mean for your business?

As of now, Defense Industrial Base (DIB) contractors must comply with NIST SP 800-171 practices. To receive future defense contracting work, all DIB contractors with DFARS 7019 and 7020 in their solicitations must file a self-assessment in the SPRS database. But within the next five years, the Department of Defense will require more than self-assessment. They will require an official CMMC certification, as outlined in the soon-to-be-finalized Interim Rule.

If you’re a prime contractor or subcontractor with the Department of Defense—or if you want to compete for those contracts—these cybersecurity regulations directly impact your business.

Core Business Solutions is here to help businesses like yours achieve simple, effective security compliance. With our comprehensive solutions, even a small business with limited IT resources can understand and meet the new DFARS requirements.

What is the DFARS Interim Rule?

If your business works with DoD contracts, you’ll need to follow the DFARS Interim Rule.

In 2015, the DoD added clause 252.204-7012 to the Defense Federal Acquisition Regulation Supplement, or DFARS. This made NIST SP 800-171 cybersecurity compliance necessary for all DoD contractors who handle Controlled Unclassified Information (CUI).  But as of November 2020, this original rule has been amended with an Interim Rule.

DFARS logoIn usual circumstances, a rule will be proposed before becoming final and going into effect. But when more urgent needs arise—such as the need for strong cybersecurity—a rule may go into effect before being finalized. This is called an Interim Rule, or an Interim Final Rule. Even though an Interim Rule goes into effect immediately, it remains open for comments until later finalization.

The current DFARS Interim Rule adds three new clauses (252.204-7019, 252.204-7020 and 252.204-7021) to the original requirements of 252.204-7012. With this amendment, the DoD now requires some level of cybersecurity compliance from all contractors, whether or not they handle CUI.

In addition, the Interim Rule creates increased accountability with a Defense Assessment Methodology. Now, companies must not only self-assess their cybersecurity compliance, but enter their score in a central database (SPRS).

Lastly, the Interim Rule spells out the requirements for future Cybersecurity Maturity Model Certification (CMMC).

252.204-7019. This clause introduces Defense Assessment Methodology. Now, contractors must report their self-assessment to the DoD. This is done through the Supplier Performance Risk System (SPRS) database.

252.204-7020. This clause allows the DoD to assess your security compliance. They are not necessarily looking for 100% perfect compliance, but to see that you submitted an accurate score.

252.204-7021. This clause introduces Cybersecurity Maturity Model Certification, or CMMC. In the near future, CMMC certification will be required for DoD contracts. Contractors should prepare now to keep their contracts and stay competitive.  For your planning purposes, the DoD states that the CMMC requirement is in a gradual rollout but will be in all contracts by October 1, 2025.

Compliance vs Certification 

As of now, companies must demonstrate compliance to the NIST requirements of DFARS, following the reporting structure outlined in DFARS 252.204-7019. However, these numbers are based on a self-assessment. They do not come from an external assessment, and they do not amount to an official certification. DFARS Compliance

But starting soon, the DoD will require all contractors to become CMMC certified. Unlike NIST, this will involve a third-party assessment and an official certification.

Whereas NIST compliance was uniform for all applicable contractors, CMMC certification comes at five different levels. If your business handles Controlled Unclassified Information (CUI), you will require CMMC Level 3 or higher. Level 3 is the most common level, with far fewer contracts requiring Level 4 or 5.

The requirements of CMMC are laid out in the DFARS Interim Rule clause 252.204-7021, set to be finalized early this summer.

When the Interim Rule is Finalized

Until the finalized DFARS rule is officially released, nobody can say for sure what changes will come.

But we can say for sure that our customers will be ready for anything when working with Core Business Solutions. We’re a CMMC Registered Provider Organization, and our staff of consultants includes official CMMC Registered Practitioners.

When you work with Core, you never need to worry about being blindsided by changing standards. We’re at the forefront of CMMC and cybersecurity knowledge, constantly developing new solutions to make compliance and certification simple, fast, and effective. Our team stays on top of cybersecurity requirements so that you can focus on your business.