DFARS INTERIM RULE: DAMNED IF YOU DO... DAMNED IF YOU DON'T
DOD Cybersecurity Interim Rule Brings New False Claims Act (FCA) Risks
If you are a DoD Contractor / Defense Industrial Base (DIB Company), you may already have been notified you need to comply with a new interim ruling.
You Can Find the Interim Rule HERE.
Many Prime Contractors are actively contacting Subcontractors and requiring them to submit their assessment scores to the Government. Letters are coming out now – check your mail and email: it may already be there.
Prime Contractors have the right to request this information based upon this regulation which goes into effect on November 30, 2020. The new Interim Rule DFARS clause 252.204-7019 will require the use of the NIST SP800-171 DoD Assessment Methodology with a standard scoring methodology and 3 assessment levels (Basic, Medium, High) to reflect the depth of the assessment. Self-assessments are “Basic” while “Medium” and “High” are done by the Government. This rule amends DFARS subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, to implement the NIST SP 800–171 DoD Assessment Methodology.

“All offerors that are required to implement NIST SP 800–171 on covered contractor information systems pursuant to DFARS clause 252.204–7012, will be required to complete a Basic Assessment and upload the resulting score to the Supplier Risk Management System (SPRS), DoD’s authoritative source for supplier and product performance information.”
You start with a score of 110 and then deduct the weighted points associated with not having a requirement fully completed (where you are relying on the SSP and POA&Ms). Did I mention that you can lose up to 313 points? That translates to a range of -203 to 110 points.

“The Basic Assessment is a self-assessment done by the contractor using a specific scoring methodology that tells the Department how many security requirements have not yet been implemented and is valid for three years. A company that has fully implemented all 110 NIST SP 800–171 security requirements, would have a score of 110 to report in SPRS for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subtract the total value from 110 to determine their score.”
In the past, DoD Contractors / Defense Industrial Base (DIB Companies) have been self-attesting to compliance with the DFARS. They were able to claim compliance with security controls using their own definitions of compliance and by pointing to a plan to correct issues in the form of a System Security Plan (SSP) and Plans of Actions & Milestones (POA&Ms).
Within the DFARS, DoD Contractors / Defense Industrial Base (DIB Companies) were able to legally state they met the obligations of the DFARS clause without fully complying with the regulatory requirements. So, if you are a DoD Contractor / Defense Industrial Base (DIB Company) who has been relying on a Security Plan (SSP) and Plans of Actions & Milestones (POA&Ms), we have got news for you. When you report your score to SPRS you will need to be fully transparent or else you could be guilty of filing a False Claim.
“The False Claims Act, also called the "Lincoln Law", is an American federal law that imposes liability on persons and companies who defraud governmental programs. It is the federal Government's primary litigation tool in combating fraud against the Government. The law includes a qui tam provision that allows people who are not affiliated with the government, called "relators" under the law, to file actions on behalf of the government. Persons filing under the Act stand to receive a portion of any recovered damages. As of 2019, over 71 percent of all FCA actions were initiated by whistleblowers. Claims under the law have typically involved health care, military, or other government spending programs, and dominate the list of largest pharmaceutical settlements. The government has recovered more than $62 billion under the False Claims Act between 1987 and 2019.” https://en.wikipedia.org/wiki/False_Claims_Act
The DoD is reserving the right to come in and audit your compliance and the last thing you want is to be caught in a False Claims Act violation. Prosecution for False Claims are a huge threat to your business. Many companies never recover from the prosecution and need to shut down.
If you haven’t already used the methodology to review your compliance posture you better get started ASAP. You will need to provide this information very soon.