was successfully added to your cart.

Cart

  • Do you handle Controlled  Unclassified  Information (CUI)?
  • Does  any  of your  annual revenue  come from Department of Defense  (DoD)  contracts?
  • Do you want to bid on DoD  contracts in the future?
  • Are you a supplier in the defense industrial base?

If you answered “YES” to any of the above questions, then  keep reading  your DoD contracts could be in jeopardy.

On November 30th, 2020, the  new  DFARS  Interim Rule under DFARS  Clause  2019-D041  went into effect  in order to  increase DoD contractor security in existing DFARS 7012 requirements while the process of Cybersecurity Maturity Model Certification (CMMC) implementation is still in development.

As part of this Interim Rule, there are three new DFARS Clauses:

  • DFARS 252.204-7019, Notice of NIST SP800-171 DoD Assessment Requirements
  • DFARS 252.204-7020, NIST SP800-171 Assessment Requirements
  • DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements

This rule enacts new requirements, such as a self-scoring methodology that must be reported, as well as the announcement of increased audits by  Defense Contract Management Agency (DCMA) while the CMMC requirements are finalized.

If you have  not  complied with the new requirements that went into effect on November 30th, 2020, you could lose your eligibility to re-compete for contracts or lose your spot in the defense industrial base supply chain. 

Action items that are MANDATORY for  DoD manufacturers handling CUI  to keep contracts:

  • Complete the new  NIST 800-171 Self-Assessment based on  the  new scoring methodology.
  • Post  your score in  the  Supplier Performance Risk  System  (SPRS).
  • Complete a  System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of  your network and  your plan to achieve 100% compliance with the NIST 800-171 requirements  with your SPRS submission.
  • Flow down the new  requirement to your subcontractors and suppliers that handle CUI.
  • Prepare  for  random  audits  from  the  Defense Contract Management Agency.

If you have not submitted a SPRS score,  immediate  action is required to remain eligible for  DoD  contracts.  As of December 1st, 2020, this is a requirement for all contractors with a 252.204-7012 clause in their agreement.

In the long term, manufacturers handling CUI will need to achieve CMMC Level 3 compliance. Fulfilling the requirements around the Interim Rule  now  will put you in a great position to achieve Level 3 compliance quickly and remain competitive.

If you have questions, are unsure if this  applies to your company,  or would like guidance through the process of complying with DFARS, please don’t hesitate to reach out to  TechSolve.

Our team of cybersecurity compliance experts are  here to help manufacturers every step of the way, to be a resource for them, and to make them feel confidant that they are making the right decisions to safeguard their DoD contracts now and in the future.

Get Started on Your Path To Compliance

It Takes Most Companies 1-2 Years To Build A Mature Cybersecurity Program. For This Reason, It’s Important To Start Now So That Your Organization Can Comply With The New Interim Rule And Be Ready For CMMC.