November 13, 2020
If you’re unfamiliar with DFARS, it’s essentially a supplementary set of rules to the Federal Acquisition Regulation (FAR). In September, the Department of Defense (DoD) added a new rule to the Defense Federal Acquisition Regulation Supplement, with the goal of strengthening cybersecurity protections. This rule establishes how the DoD will assess contractors under current cybersecurity regulations outlined in NIST SP 800-171 and the newly established Cybersecurity Maturity Model Certification (CMMC) program. The rule officially goes into effect on Nov. 30, 2020, and it has two major parts to it. That doesn’t leave you with a whole lot of time to prepare.
DFARS may require immediate self-assessment.
Under the new rule, contractors and subcontractors that have access to controlled unclassified information (CUI) may need to conduct a basic self-assessment of their compliance with NIST 800-171 requirements. They must then submit the results of that assessment to the DoD through the Supplier Performance Risk System (SPRS).
Once all this goes into effect on November 30, contractors may not be eligible for new contracts unless the self-assessment score is posted on SPRS. Contracting officers will be required to check the database to confirm an entity that’s required to implement NIST SP 800-171 has an accurate SPRS Assessment prior to the award of a new contract or exercise of an option under an existing contract. The DoD expects that it will take 30 days from the time of email submission to have the self-assessment score posted on SPRS. If you have an account in SPRS, it will be immediately posted. Furthermore, contractors will need to update this self-assessment every three years or sooner.
DFARS now requires CMMC compliance.
In the second part of the new rule, we’re finally seeing CMMC put into official use. Over the next five years, DoD contractors will be required to have certification at the time of the award of certain contracts. In fact, starting in 2026, all DoD contracts (except those exclusively for commercially available items) will contain a CMMC requirement.
DoD contracts with a CMMC requirement will require that contractors be certified at one of five CMMC levels. In a more in-depth look at some of these CMMC level requirements, we covered specific levels in a past article.
Your self-assessment score may need to be submitted immediately.
2025 is five years away, but now is the time to get started on the self-assessment portion, if nothing else. The self-assessment score may need to be submitted immediately so that eligibility is maintained. Remember: It takes 30 days via email. Getting at least this part done ensures that contractors remain eligible for new DoD contracts, as well as options for existing DoD contracts.
Once that’s done, we recommend you reach out to CMMC professionals for help with assessment and preparation. And after that, you still have to go through the certification process itself by hiring a certified third-party auditor to conduct the CMMC audit. The good news is, Rimstorm has you covered on multiple fronts. Not only can you count on us to help you with CMMC prep, but we’ve also recently applied to become a Certified Third-Party Assessment Organization (C3PAO) ourselves.
You don’t have much time, but through us you’ll be able to accomplish everything all at once and stay ahead of the game — no matter what new regulatory curveball is thrown.