On September 29, 2020, the Department of Defense (DoD) posted notice of an Interim Rule on the Federal Register that impacts every company in the Defense Industrial Base (DIB). The Interim Rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) for DoD contract engagements with respect to how the DoD will assess its contractors’ implementation of cybersecurity requirements. The Interim Rule spans nearly 90 pages, but at a high level, here’s what members of the DIB need to know.
What Is an Interim Rule?
An Interim Rule represents contractual requirements the DoD can enforce as of its effective date, not a Proposed Rule which still awaits approval. The Interim Rule may be modified before it becomes a Final Rule, but not necessarily.
When Does This Interim Rule Take Effect?
The Interim Rule takes effect on November 30, 2020. During the 60-day period between its announcement and effective date, the DoD will accept comments. That feedback, however, may not be reflected in any updates to the Interim Rule or in the Final Rule.
Why Did the DoD Pursue This Interim Rule?
Adversaries continue to execute cyber-attacks against the DoD and companies in its global, multi-tiered supply chain. These bad actors seek sensitive information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Exfiltration of this information threatens national security and costs the U.S. economy hundreds of billions of dollars per year.
Despite the existence for nearly 3 years of DFARS clause 252.204-7012, which in part mandates that any company handling or storing CUI comply (or have a plan to comply) with all of the 110 security controls found in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), DoD supply chain cybersecurity has not improved, with the pace of compromise accelerating. The DoD pursued this Interim Rule to immediately and for the long-term implement stronger cybersecurity measures across the DIB.
How Does the Interim Rule Affect Companies Throughout the DoD Supply Chain?
The Interim Rule adds 3 new provisions and clauses (252.204-7019, -7020, -7021) to the DFARS. Collectively, these additions:
- Address the shortcomings of DFARS clause -7012. Contractors handling or storing CUI merely had to self-assess and self-attest to their full compliance with NIST SP 800-171 or that they had a plan to do so. This approach left room for misinterpretation or misrepresentation of compliance status, with little follow-up to confirm accuracy or progress on the plan to meet all 110 security controls.
- Require all DoD contracts (new or options/extensions) to incorporate the new Cybersecurity Maturity Model Certification (CMMC) framework as of October 1, 2025. CMMC applies to all members of the DIB to better protect FCI and CUI by shifting the focus from compliance to cybersecurity maturity and risk mitigation. It includes 5 levels of increasing strength, with limited scope at Level 1 (15 practices) for companies that don’t handle CUI, cumulatively building to Level 3 (3 processes and 130 practices, including the 110 NIST SP 800-171 controls) for companies that do handle CUI, to Level 5 (5 processes and 171 practices) for companies working on high-profile, high-value-asset programs subject to advanced persistent threats. Under CMMC, companies receive accreditation at the appropriate level upon successful completion of a third-party audit that confirms implementation of all requisite practices and processes.
- Account for a gradual 5-year transition from just requiring NIST SP 800-171 compliance to fully implementing a CMMC certification process that encompasses all NIST SP 800-171 controls at CMMC Level 3, thereby eliminating the need for contracts to be changed retroactively and accommodating the volume of companies (at least 225,000) impacted by accreditation. Each year, starting in FY2021, more contracts and companies will move under the CMMC umbrella.
Where Does the Interim Rule Change Requirements Related to NIST SP 800-171 and CMMC?
With respect to CMMC, the Interim Rule, through DFARS -7021, simply makes official what the DoD has publicly said since early 2019 – that the cybersecurity framework developed in partnership with the DIB would become the unified standard that ultimately would subsume NIST SP 800-171. Of note, the Interim Rule does state that a company must ensure that all of its downstream subcontractors and suppliers possess a current CMMC accreditation (issued within the prior 3 years) at the appropriate level (based on their role and access to CUI) at the time of contract award.
While the Interim Rule does not modify NIST SP 800-171 itself, it does alter, through DFARS -7019 and -7020, how companies report their compliance status to promote greater accuracy and accountability and to drive improved cybersecurity. Going forward, all members of the DIB subject to implementation of the NIST SP 800-171 standard must have a current (completed within the past 3 years) DoD Assessment on record in the DoD’s Supplier Performance Risk System (SPRS) to be eligible for an award, subcontract, or contract extension or modification. DoD Assessments fall into 3 categories:
- Basic Assessments – All companies that store or handle CUI must complete a self-assessment and post results to the SPRS. The Basic Assessment differs from prior self-assessment requirements by including a scoring component calculated using a specific DoD methodology. Companies that meet all 110 NIST SP 800-171 security controls receive a score of 110, and the score decreases based on values assigned to unimplemented or partially implemented controls. In addition, companies must indicate the date by which they commit to achieving the top score. They also must flow the Basic Assessment mandate down to all of their subcontractors and suppliers, and ensure that these entities submit their results for inclusion on SPRS.
- Medium Assessments – Some Basic Assessments will be audited by the DoD for validity based on program criticality or information sensitivity, requiring access to facilities, systems, and personnel. In this instance, the DoD will conduct a thorough document review and will engage in discussions with the selected company to obtain additional information and clarification.
- High Assessments – The DoD will audit other Basic Assessments with greater scrutiny. In this case, the DoD augments document review and discussion with verification, examination, and demonstration of systems to prove implementation of controls.
For Medium and High Assessments, the DoD will modify SPRS scoring as appropriate, at a minimum. More significantly, companies found to have misrepresented themselves on the Basic Assessment face the prospect of penalties under the False Claims Act.
Who Can Help Companies Prepare for the Interim Rule?
The new Interim Rule raises the stakes for all members of the DIB. Unquestionably, companies throughout the DoD supply chain must take action now to get ready. Whether it’s tracking the status of downstream subcontractors and suppliers completing their Basic Assessments, understanding the NIST SP 800-171 security controls and CMMC practices and processes in preparation for a Basic Assessment or third-party accreditation audit at any of the 5 levels, or building and validating the 30+ policies identified in the NIST SP 800-171 standard and CMMC framework, Exostar’s risk management solutions help companies keep pace with the DoD’s evolving cybersecurity regulations designed to protect all from harm.