Understanding the Interim Rules of the DFARS and CMMC

Because the new CMMC necessities will not be fully implemented until 2026, the Defense Federal Acquisition Regulation Supplement (DFARS) founded the Interim Rule to press for the DoD Assessment Methodology element of the CMMC framework to get an indicator of contractor execution of existing cybersecurity prerequisites as soon as possible. According to DFARS Case 2019-D041, the Interim Rule requires all DoD prime contractors and the approximate 300,000+ members of the DIB supply chain to conduct a simple self of their prevailing cybersecurity stance and record their findings in the Supplier Performance Risk System, which is effective November 30, 2020. If you are a business that deals with Controlled Unclassified Information, you should hire a professional offering CMMC consulting Virginia Beach.

Understanding the Interim Rule

You should acquaint your company with the following critical components to assist you better grasping the DFARS Interim Rule specifications:

Self-assessment entails assessing the application of the NIST SP 800-171’s 110 various cybersecurity rules. While DFARS clause 252.204–7019 mandates that organizations undertake these self-assessments using the current DFARS clause 252.202-702, DFARS clause 252.204–7020 specifies the NIST (SP) 800-171 DoD Evaluation Method that must be used.

Scoring technique: For each NIST (SP) 800-171 control that the organization must apply, the grading system starts with an “ideal” grade of 110. For each control that has not been executed, points are removed. Each deduction is assigned a point value varying from one to five relevancy of the specific control. With the exception of identity management and FIPS-validated encryption, no credit is awarded for partly installed measures.

Score reporting is as follows: Within 30 days of assessing the IT infrastructure and cybersecurity measures, you must submit the self-assessment rating to a governmental Supplier Performance Risk System database.

SSP (System Security Plan): It is a record that gives detailed information on the NIST 800-171 controls that have been established, including operational processes, organizational policies, and technological components. You can also seek help from a CMMC consultant and MSP.

Plan of Action and Milestones (POA&M): If you haven’t finished implementing a control, you must provide POA&M documentation as an attachment that explains how you intend to resolve the shortcomings and when you’ll finish. Once previously defective variables have been resolved and mitigated, you can publish revised scores.

After December 1, 2020, fulfillment of the Interim Rule criteria will be a prerequisite for winning all-new federal or military contracts awarded after that date. 

Steps to Take Right Now

If it hasn’t already been done, your company should be prepared to undertake a full and comprehensive self-assessment to determine your cybersecurity posture score as quickly as possible to guarantee you’re properly safeguarding and preserving your data assets. This is the first stage in getting ready for the new CMMC framework’s expanded cybersecurity standards and certification procedure. Start developing and executing the required security policies early to guarantee you don’t neglect any contract extensions or renewal possibilities.