The number of cyber-attacks on businesses, organizations, and governmental institutions has accelerated in just the last few years. Furthermore, the COVID-19 pandemic has weakened many organizations’ cybersecurity posture, which brought with it a new wave of successful attacks.
Frameworks like DFARS and CMMC are more than necessary to make sure that all contractors and subcontractors who handle controlled unclassified information are doing so according to cybersecurity standards. Still, the confusion created by unrealistic or inaccurate requirements and the delays in rolling out new regulations can only lead to chaos if left unchecked.
The Defense Federal Acquisition Regulation Supplement (or DFARS) is a memorandum issued by the Department of Defense (DoD) for contractors and subcontractors, and was designed as a set of cybersecurity requirements for contractors and organizations operating with the DoD, to safeguard controlled unclassified information (CUI) from cyberattacks and accidental leaks.
Overall, the main purpose of this memorandum was to strengthen cybersecurity practices and make the Defense Industrial Base (DIB) more secure against cyber threats. Unfortunately, the requirements and standards specified in the DFARS are not clear enough for real-life implementation, which slowed down the entire process and left contractors and subcontractors in a state of confusion.
To help provide some clarity, the DoD released the Cybersecurity Maturity Model Certification (CMMC) framework, that was intended to replace the DFARS standard. Nevertheless, the CMMC has not been fully implemented and the DoD still demands that all contractors & subcontractors that process, store, or transmit CUI must comply with DFARS minimum security standards. Otherwise, contractors risk losing their collaboration with the DoD.
In addition, on September 29, the DoD released an Interim Rule (that became effective on November 30) that focuses on making sure all DoD contractors are currently in compliance with all 110 security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). Furthermore, the rule also adds CMMC as a requirement in a DoD contract.
Sadly, the rule does not answer many of the questions that contractors have regarding CMMC implementation. As a result, the situation is still uncertain, and many business owners are still in a state of confusion.
The Current CMMC Situation
As of now, the CMMC is not fully rolled out and DFARS is still in effect. In fact, the CMMC Accreditation Body (AB) mentioned clearly that the DFARS standard is paramount for CMMC compliance for any of the DoD contractors that handle CUI, regardless of size.
In short, the CMMC framework is an improved version of the DFARS framework, with an added level of control that comes as audits and assessments that validate your company’s cybersecurity practices against the standard. These controls will be performed by independent third-party certified organizations, and each contractor will be assigned a maturity level from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” (there are 5 levels in total).
For instance, a company working under DFARS that wants to reach level 3 (“Good Cybersecurity Hygiene”) should already have about 85% of the work already laid out; this is because, out of the 130 controls, 110 are straight from NIST 800-171, which has been the standard for several years.
Since we did not have specialized controls up until the CMMC framework, many companies will have gaps. Based on our expertise, some of the most common issues are:
- No system security plan
- Incomplete cybersecurity policies
- Missing multi-factor authentication (MFA) and/or encryption
- Incomplete incident response plans
So, before you apply for a CMMC evaluation, it is best to run a complete analysis to assess your current level of compliance.
The New DFARS Interim Rule
Up until now, DoD contractors and subcontractors who engage with controlled unclassified information were required to self-assess their level of cybersecurity using the NIST SP 800-171 requirements. However, this has proven inefficient since contractors lack a well-structured system that can provide support when it comes to this self-assessment. As a result, there are plenty of gaps and differences in planning from one business to another.
The Interim Rule is trying to improve this situation by helping contractors grade themselves using a standardized score. This way, each contractor can learn about the NIST SP 800-171 security requirements they still need to work on.
This means that all the contractors that work with CUI will have to take the NIST 800-171 Self-Assessment (even though they already did one in the past) and then post their result in the Supplier Performance Risk System (SPRS). This new assessment will be based on the scoring methodology specified by the Interim Rule and DoD cannot award contracts without it.
In addition, contractors should expect random audits (performed by the DCMA) where their self-assessment and final scores will be checked.
If you want to stay in the game, your business needs to be in compliance. This means keeping up with the new standards, as challenging as they may be. Our specialists have the necessary knowledge and experience to get you there. We have the tools needed to evaluate where your business is, where it needs to get to, and provide the framework and action plan necessary to get there while keeping your core job functions protected. We are ready to become your cybersecurity team or fill the gaps in your cybersecurity program.
We can provide you with advice and guidance regarding CMMC compliance rules and we will always keep you up to date with any new developments in this area.
We are ready to become your cybersecurity team or fill the gaps in your cybersecurity program. If you have questions about these topics, don’t hesitate to reach out to our specialists.