In September of 2020, the DoD released an interim rule, effective November 30, to "amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain."
The DFARS interim rules' primary objectives are to immediately address security and compliance weaknesses within the defense supply chain and act as the launching point to prepare for CMMC certification.
This post covers key information for contractors to understand the DFARS interim rule and how to submit a self-assessment score.
Who does the interim rule apply to?
The interim rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST requirements.
What are the interim rule requirements?
The DoD is asking contractors and subcontractors to submit a self-assessment of their DFARS cybersecurity controls in the Supplier Performance Risk System (SPRS). The interim rule is laying the groundwork for CMMC by emphasizing the DFARS clause (DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements) requiring contractors to:
- immediately post Assessments of cybersecurity compliance on the DoD's Supplier Performance Risk System (SPRS)
- verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Basic Assessment on record prior to contract award
The interim rule went into effect on November 30, 2020; how long do I have to submit a score?
While there isn't a documented deadline date, the DoD is cracking down on non-compliance, so contractors and subcontractors should report their self-assessment scores as soon as possible. Without an accurate score reported to the SPRS, contractors will not be awarded new contracts.
How do I perform a self-assessment and get a score to submit?
Download the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 document and fill out Annex A - NIST SP 800-171 DoD Assessment Scoring Template to generate your findings.
How do I submit the self-assessment?
You will need to create an account on the PIEE website (Procurement Integrated Enterprise Environment) and submit your self-assessment score.
Follow the steps to register on the PIEE website and choose 'vendor' from the company options page.
When you reach step 6 of registration – Roles of the registration process, select "SPRS – Supplier Performance Risk System" from the application list (step 1). Choose "SPRS Cyber Vendor User" during step 2 on the same page. Next, click "ADD ROLES". You will see a line at the bottom with a "LOCATION CODE" field. This is where you will enter the "CAGE code" for your company. |
Enter the justification for your account. Use attachments for justification and/or identification. However, do not attach your self-assessment here. |
Next, you will need complete the Agreement portion of the application. You should receive approval for your account promptly after completion via email. If you do not have a CAGE code or if the CAGE code, you have not been registered with an in-use DoD contract you may not be able to successfully create an account |
Once you register, you will have to have the admin linked to the CAGE code approve your account |
This completes the steps and you have successfully created your account. Once the CAGE code administrator approves the account registration, you are ready to submit your score. |
Now that you have an account, you will need to go to the PIEE website and click "LOG IN." |
Select the company name at the desired level (BASIC will be the most common unless your company went through an audit consisting of Government personnel). Once selected, click "ADD NEW ASSESSMENT" from the menu. |
What happens if I do not submit a score?
Without a score reported or a Basic assessment performed within the last 3 years, contractors will not award contracts. So, contracts are at risk.
The interim DFARs rule has this verbatim clause buried within the latest 89-page update:
"2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800- 171 DoD Assessment."
Will I be penalized if I don't have a good score?
It's important to note that the DoD will do risk-based assessments to determine which contractors it will award contracts. A contractor with a lower score will be seen as less secure and thus less likely awarded the contract.
Contractors should do as much as they can to avoid submitting a poor score to the SPRS. If the score is not ideal, the contractor will be required to create a Plan of Action & Milestones (POAM) to document specifically when security gaps will be remediated.
How can ProArch help?
ProArch has been supporting contractors and sub-contractors with DFARS compliance requirements since 2017. Our compliance gap analysis provides the answers to the interim rule self-assessment. The gap analysis includes developing a Plan of Action & Milestones (POAM) as a roadmap to security and compliance remediation.
The DoD has made it clear that new CMMC requirements will begin to appear in contracts in early 2021 and continue to be rolled out through 2025. Without CMMC certification at a contract's required level, you become ineligible.
Reach out to ProArch for help raising your self-assessment score and remediating control gaps.