DoD Now to Require Cybersecurity Self-Assessments with New DFARS Rule

On September 29, 2020, the Department of Defense (DoD) issued an  interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS). The interim rule implements the Cybersecurity Maturity Model Certification (CMMC) program.

The rule introduces a new construct: the DoD Assessment Methodology.  Before contracts undergo a full CMMC review, this new construct will serve as the interim certification process.

This is an important and impactful change.

Here’s what we think you need to know:

  • The interim rule goes into effect on November 30, 2020.
  • Public comments are encouraged. Please comment if you have the time.
  • First step for most people will be a self-assessment in accordance with the DoD Assessment Methodology.
  • You’ll have to submit your assessment score to the DoD before you can be awarded new contracts.
  • If not all NIST 800-171 requirements are implemented, the Contracting Officer will be required to make a risk-based decision.
  • CMMC will concurrently go into effect over a period of 7 years.
    • Prior to Oct 1, 2025 the inclusion of the CMMC clause in a contract requires approval by the Undersecretary of Defense for Acquisition & Sustainment (USD(A&S).
    • CMMC will be targeted at all levels of the supply chain, not just holders of Controlled Unclassified Information (CUI).
  • DoD reserves the right to conduct audits of 800-171 implementation and will conduct several hundred every year.

Primary Takeaway

If you handle CUI and are subject to DFARS 252.204-7012, you will be required to submit a self-assessment via the DoD portal, SPRS, at least every 3 years (this may be contractually shortened) until you become CMMC certified. Then your CMMC certification will take precedence.

Prior to the award of a new contract or exercise of an option under an existing contract, a contracting officer will be required to check the SPRS database for evidence of an active assessment.

No assessment, no award.

How Sera-Brynn Can Help

If you plan to bid on DoD work, ensure that you meet the requirements of NIST SP 800-171. Sera-Brynn can:

  • Perform Assessments
  • Provide Templates for Required Documentation
  • Become Your Long-Term Consultant
  • Inject Expertise with Short-Term Consulting
  • Provide Log Management / Incident Detection Solutions

Our cybersecurity analysts are standing by to help current and new clients finalize and submit the required Basic Assessment by the November 30 deadline.

Contact us at info@sera-brynn.com.

References

CMMC is the DoD’s “Cybersecurity Maturity Model Certification”

CUI is “Controlled Unclassified Information.”

DFARS is the “Defense Federal Acquisition Regulation Supplement”

NIST is the National Institute of Standards and Technology — a non-regulatory agency of the United States Department of Commerce

SPRS stands for “Supplier Performance Risk System” — the Department of Defense’s single, authorized application to retrieve suppliers’ performance information.


The author, Colin Glover, is a principal and senior security analyst at Sera-Brynn, LLC.