- Do you handle Controlled Unclassified Information (CUI)?
- Does any of your annual revenue come from Department of Defense (DoD) contracts?
- Do you want to bid on DoD contracts in the future?
- Are you a supplier in the defense industrial base?
If you answered “YES” to any of the above questions, then keep reading your DoD contracts could be in jeopardy.
On November 30th, 2020, the new DFARS Interim Rule under DFARS Clause 2019-D041 went into effect in order to increase DoD contractor security in existing DFARS 7012 requirements while the process of Cybersecurity Maturity Model Certification (CMMC) implementation is still in development.
As part of this Interim Rule, there are three new DFARS Clauses:
- DFARS 252.204-7019, Notice of NIST SP800-171 DoD Assessment Requirements
- DFARS 252.204-7020, NIST SP800-171 Assessment Requirements
- DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements
This rule enacts new requirements, such as a self-scoring methodology that must be reported, as well as the announcement of increased audits by Defense Contract Management Agency (DCMA) while the CMMC requirements are finalized.
If you have not complied with the new requirements that went into effect on November 30th, 2020, you could lose your eligibility to re-compete for contracts or lose your spot in the defense industrial base supply chain.
Action items that are MANDATORY for DoD manufacturers handling CUI to keep contracts:
- Complete the new NIST 800-171 Self-Assessment based on the new scoring methodology.
- Post your score in the Supplier Performance Risk System (SPRS).
- Complete a System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of your network and your plan to achieve 100% compliance with the NIST 800-171 requirements with your SPRS submission.
- Flow down the new requirement to your subcontractors and suppliers that handle CUI.
- Prepare for random audits from the Defense Contract Management Agency.
If you have not submitted a SPRS score, immediate action is required to remain eligible for DoD contracts. As of December 1st, 2020, this is a requirement for all contractors with a 252.204-7012 clause in their agreement.
In the long term, manufacturers handling CUI will need to achieve CMMC Level 3 compliance. Fulfilling the requirements around the Interim Rule now will put you in a great position to achieve Level 3 compliance quickly and remain competitive.
If you have questions, are unsure if this applies to your company, or would like guidance through the process of complying with DFARS, please don’t hesitate to reach out to TechSolve.
Our team of cybersecurity compliance experts are here to help manufacturers every step of the way, to be a resource for them, and to make them feel confidant that they are making the right decisions to safeguard their DoD contracts now and in the future.
Get Started on Your Path To Compliance
It Takes Most Companies 1-2 Years To Build A Mature Cybersecurity Program. For This Reason, It’s Important To Start Now So That Your Organization Can Comply With The New Interim Rule And Be Ready For CMMC.