In December 2020, the Department of Defense’s long-awaited DFARS Interim Rule took effect. The Interim Rule requires defense contractors to conduct a self-assessment premised on NIST 800-171 and disclose their results to the Department of Defense. The Provisional Rule also allows the new CMMC structure, which will take several years to execute, the nation’s law. It’s apparent that contractors who work with the government will have to hire CMMC consulting VA Beach professionals to become compliant.
All jobs performed by primes and freelancers subject to the DFARS 252.204-7012 clause have become liable to the Temporary Rule’s obligations. This contains all CUI-related defense contractors. Additionally, when CMMC is adopted, those contractors will be required to earn CMMC Level 3 certification. According to the Department of Defense, defense contractors that do not satisfy these requirements will not be given contracts.
Who is required to comply with the DFARS?
Contractors and subcontractors covered under the DFARS 252.204-7012 clause are now bound to the Interim Rule’s obligations. Contracts will not be issued to businesses that do not satisfy these requirements.
Although the DFARS Interim Regulation does not define baseline self-assessment scores, the Department of Defense will conduct risk-based evaluations to assist select which firms will be awarded contracts. Suppose a corporation has a low self-assessment grade. In that case, it logically follows that the Department of Defense will view it as a more significant security risk than a competitor with a better grade. Similarly, when considering potential suppliers, primes will evaluate self-assessment ratings, and it is logical to predict that subcontractors with better scores will be more likely to get the task.
Boosting your firm’s self-assessment score is unquestionably essential. Improved CUI protection can help you swiftly grow your self-assessment score, given its importance in both DFARS and CMMC cybersecurity. Because CUI is commonly communicated via email or files, systems that safeguard email and file sharing are essential tools for attaining that aim.
Contractors should begin their self-assessment, create an SSP, and report their results as soon as possible. As previously stated, POAMS should tackle gaps and provide an estimate of when they will be resolved. POAMS, on the other hand, will not be permitted under CMMC; hence it is critical to close these gaps with proper technology or rules.
It’s All About the Score
While the DFARS provisional regulation does not define minimum self-assessment scores, all firms intending to work for the Department of Defense should be aware that risk-based evaluations will be used to assist in selecting which businesses will be awarded contracts. If a corporation has a low self-assessment score, it logically follows that the DoD will view it as a more significant security risk than a rival with a higher score.
In the future, any Basic self-assessment score of less than 110 poses a business risk since it triggers a POAM, which is prohibited by CMMC rules. A contract requiring CMMC Level 3 adherence will additionally require vendors to fulfill 20 additional standards in addition to the 110 controls outlined in NIST 800-171. According to the Department of Defense, these CMMC criteria will emerge in DoD agreements in early 2021 and become more common after that.
The goal is to enhance your firm’s self-assessment score and strengthen your company’s cybersecurity controls—and therefore its basic protection of CUI—so that you may become a top-level player in the Defense Industrial Base.