According to updated guidance from the Department of Defense (DoD), clauses 7019 and 7020 of the provisional DFARS rule from November 2020 will be incorporated into a definitive rule in December 2022. To strengthen NIST SP 800-171 compliance, the DFARS Interim Rule, which is currently in effect, mandates that all defense contractors and providers of managed IT services for government contractors who handle CUI and are liable to DFARS 252.204-7012 not only perform a NIST SP 800-171 self-assessment but also notify their results to the DoD’s SPRS.
The Interim Rule also mandates that defense contractors grant the Department of Defense access to their systems, persons, and facilities as required for the Department of Defense to carry out or update a higher-level evaluation of NIST SP 800-171 compliance. In other terms, vendors must consent to a DoD compliance review that goes beyond the contractor’s self-evaluation.
The DoD is making it apparent that it intends to use the DFARS to strictly comply with defense contractors’ NIST SP 800-171. CMMC is expected to become an intermediate rule in March 2023, according to information provided by the DoD. Due to heightened enforcement, your company must take immediate action to secure its CUI and adhere with NIST SP 800-171 and related DoD rules since both DFARS and CMMC dictate that contractors adhere to the same NIST SP 800-171 framework.
What does the NIST compliance update mean for DoD vendors?
Under the December 2022 Final DFARS Rule, defense companies who do nothing to become NIST compliant incur a significant danger to their business.
One of the most significant strategic risks facing the United States today is cybercrime. To safeguard the large attack surface of the DIB, the DoD is immediately stepping up the implementation of its cybersecurity regulations. One component of this initiative is the DoD’s Final Rule move in December 2022. The publication of a Final Rule will increase DoD evaluations (also known as audits) of NIST SP 800-171 compliance across the DIB. More significantly, it gives the DoD and main contractors a single, impartial metric—the SPRS score—to evaluate a contractor’s cybersecurity posture.
Lack of an SPRS score raises red flags and puts your company’s ability to retain current DoD agreements and win new ones at risk. Some prime contractors have already formally asked their subcontractors for pertinent cybersecurity information. If you’re a subcontractor, be aware that primes are becoming more cautious about the likelihood of collaborating with any subcontractor who is not in compliance with DoD data protection laws and will swiftly switch to those who are.
The November 2020 DFARS Interim Rule mandates that prime contractors and managed IT services providers be responsible for their supply chains’ security. The SPRS score criterion also gives prime contractors a way to quickly assess rival subcontractors’ cyber readiness. Also, keep in mind that firms that falsely claim to have high levels of cybersecurity are subject to sanctions from the DoD and the Justice Department, which established a robust Civil Cyber-Fraud Initiative last year.
What defense contractors must do right away?
Recent DoD initiatives to improve the cybersecurity of the DIB convey a strong message. The best action you can do to ensure the long-term viability of your company is to begin right away with:
- Increase your company’s cybersecurity standards and adhere to NIST SP 800-171.
- Prepare your POA&M, SSP, and other necessary documentation. Keep in mind that your organization’s primary documents to support its needed compliance are the SSP and POA&M. the NIST SP 800-171 self-evaluation
- Perform an impartial NIST SP 800-171 self-assessment and disclose your score to the DoD’s SPRS. Be sure to accurately reflect your NIST SP 800-171 compliance level and be ready for primes to request your SPRS score.
Be aware that the 110 security controls of NIST SP 800-171 will be aligned with the security measures for CMMC Level 2. This indicates that your organization will more quickly reach CMMC Level 2 if all current efforts are made to comply with NIST SP 800-171. In March 2023, federal rulemaking to put the CMMC framework into effect is anticipated. Your organization should be well on its way to complete compliance with NIST SP 800-171 by then if you want to keep a place on the board for DoD contracts.