top of page

The Interim DFARS Rule and What It Means for Your Business

The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020. The decision sent over 300,000 members of the defense industrial base (DIB), mostly small and midsize businesses (SMBs), into a state of frenzy.

The chaos increased when the Interim DFARS Rule (DFARS Case 2019-D041) joined the foray on November 30, 2020. This rule mandates all defense contractors to perform self-assessments of their cybersecurity efficacy using the NIST CSF (SP) 800-171 DoD Assessment Methodology.

Amid all the deliberation and scrutiny, let us try understanding the Interim DFARS Rule and its impact on you as a member of the DIB. In this short read, we will tell you what exactly the Interim DFARS Rule changed, what it mandates contractors to do and what your next immediate step should be if you do not wish to be penalized for non-compliance with this latest mandate by the Department of Defense (DoD).

What the Interim DFARS Rule Changed

This is not the first time the DoD has emphasized on the need for defense contractors to follow the 110 cybersecurity controls mentioned in the National Institute of Standards and Technology (NIST) Special Publication 800-171, generally referred to as “800-171.”

Even prior to the adoption of the CMMC, DFARS mandated most defense contractors to merely attest to the fact that they followed all the controls specified in 800-171. However, many non-compliant contractors and sporadic government audits led to controlled, unclassified information (CUI) leaked out of government contracts.

Therefore, in a bid to counter potential security threats, the Interim DFARS Rule performs complete self-assessments and formally scores their 800-171 compliance status based on a specific scoring system developed by the DoD. The post-assessment score would then have to be uploaded to a federal database – the Supplier Performance Risk System (SPRS).

The deadline for you to conduct a self-assessment and upload it to the SPRS database was yesterday (yes, you read that right) if you intend to accept any DoD-related contracts issued after December 1, 2020 that include the flow down of DFARS 252.204-7012.

Having understood the urgency with which you must approach complying with the Interim DFARS Rule, let us now look at how the interim rule scoring works.