top of page

DECIPHERING THE DOD 18-PAGE INTERIM RULE (DFARS, FAR, CMMC)

If you are a DoD Contractor, you need to read this ASAP! The Evolution of Contracting with the DoD


First, there was the DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT (DFARS)…


Then there was the FEDERAL ACQUISITION REGULATION (FAR)…


And then there was the CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)…


Now there’s DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT ASSESSING CONTRACTOR IMPLEMENTATION OF CYBERSECURITY REQUIREMENTS (DFARS CASE 2019–D041


You Can Find the Interim Rule HERE


What just happened? Let me narrate for you and share some important sections of the regulation.


A little background might be in order:


“Under DFARS clause 252.204–7012, DIB companies self-attest that they will implement the requirements in NIST SP 800–171 upon submission of their offer. A contractor can document the implementation of the security requirements in NIST SP 800–171 by having a system security plan in place to describe how the security requirements are implemented, in addition to associated plans of action to describe how and when any unimplemented security requirements will be met.”


“As a result, the current regulation enables contractors and subcontractors to process, store, or transmit CUI without having implemented all of the 110 security requirements and without establishing enforceable timelines for addressing shortfalls and gaps.”


BOOM!!! There goes our most sensitive data.


“Findings from DoD Inspector General report (DODIG–2019–105 ‘‘Audit of Protection of DoD Controlled Unclassified Information on Contractor- Owned Networks and Systems’’) indicate that DoD contractors did not consistently implement mandated system security requirements for safeguarding CUI and recommended that DoD take steps to assess a contractor’s ability to protect this information.”


“The report emphasizes that malicious actors can exploit the vulnerabilities of contractors’ networks and systems and exfiltrate information related to some of the Nation’s most valuable advanced defense technologies.”


“Because of these issues and shortcomings and the associated risks to national security, the Department determined that the status quo was not acceptable and developed a two pronged approach to assess and verify the DIB’s ability to protect the FCI and CUI on its information systems or networks, which is being implemented by this rule”


Yes, that’s right DoD Contractors / Defense Industrial Base (DIB Companies) have been self-attesting to compliance with the DFARS for years. They were able to claim compliance with security controls using their own definitions of compliance and by pointing to a plan to correct issues.