DFARS - NIST
If your company provides products or services for the Department of Defense (DoD), you will need to meet new cybersecurity standards and certification set by the Defense Federal Acquisition Regulation Supplement (DFARS).
DFARS provides a set of security controls to safeguard information systems where contractor data resides. Currently, cybersecurity is based on the National Institute of Standards and Technology (NIST), the NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations” and organizations need to implement the security controls through all levels of their supply chain.
DFARS Interim Rule
Effective since November 30, 2020, the Defense Acquisitions Regulation System released a new DFARs Interim Rule to supplement the current DFARS regulation 7012 as a procedure that helps bridge the gap between NIST 800-171 while CMMC is still being enacted. Organizations need to meet the DoD Self-Assessment and Supplier Performance Risk System (SPRS) Score reporting requirements.
Recently, the DoD decided to revise the rules for its Cybersecurity Maturity Model Certification (CMMC) program and a new version, CMMC 2.0 will reduce the requirements. The revisions are intended to carry forward the original intent of the program to ensure contractors are following best practices for protecting sensitive information on their networks, while also making it easier for small businesses to comply with the mandates. Stay tuned on these developments – we’ll keep you updated.
We provide a comprehensive program to help your organization meet the DoD Self-Assessment and Supplier Performance Risk System (SPRS) Score reporting requirements.
What the DFARS Interim Rule Means for Government Contractors
As a DoD Contractor or Sub-Contractor, you need to do a DoD Self-Assessment and report your Score to ensure that you will continue to qualify for contracts that include the common DFARS 252.204-7012/7019/7020 clauses.
This requirement applies to all contracts and sub-contracts that include any of these clauses, even if you are not actually accessing, processing, or storing Controlled Unclassified Information (CUI).