The Federal Acquisition Regulation (FAR) governs the US government’s acquisitions and selects contractors that work with its agencies. Companies that work with the military fall under the jurisdiction of the Defense Federal Acquisition Regulation Supplement (DFARS). In 2020, an update to DFARS introduced new standards for testing these companies’ security. Read on to have the DFARS interim rule explained comprehensively.
The DFARS Interim Rule Explained Inside and Out
The Department of Defense (DoD) has worked to increase cybersecurity for the US to match steady increases to the depth, breadth, and complexity of cyber threats. As one part of that effort, the DFARS Interim Rule of 2020 has increased the speed with which companies need to implement required protections and new protocols for assessing these changes.
In the sections below, we’ll break down everything you need to know, including:
- An overview of the main impacts of the DFARS Interim Rule on compliance
- A deep dive into the scope and requirements of the NIST SP 800-171 framework
- The five maturity levels and all controls needed for CMMC certification
By the end of this article, you’ll be well prepared to meet the new standards required by the DFARS interim rule. But first, let’s take a close look at who exactly is impacted by DFARS.
Which Businesses Are Impacted by DFARS?
Regulatory guides like FAR and DFARS apply primarily to governmental agencies, such as the DoD. But businesses who work with the DoD make up the Defense Industrial Base sector (DIB), a key supply chain that contributes to the smooth functioning of all branches of the military. Businesses seeking out these contracts become critical to all American’s safety.
The DIB is one of 16 Critical Infrastructure Sectors presided over by the Cybersecurity and Infrastructure Security Agency (CISA). These sectors are essential to protect. By definition, any security compromise could have debilitating consequences for national security, public health, the economy, and the fabric of society in the US and abroad.
To prevent these negative impacts, all DIB businesses and DoD contractors need to follow DFARS regulations.
Understanding the DFARS Interim Rule
Businesses working with DoD were already required to implement the National Institute for Standards and Technology (NIST) SP 800-171 controls. Those seeking out preferred contractor status also had to achieve Cybersecurity Maturity Model Certification (CMMC) through the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S).
Under the Interim Rule, major changes impact these two frameworks in the following ways:
- Implementation of the DFARS Interim Rule includes a new DoD Assessment Methodology, complete with new scoring metrics. Companies must post their scores to the Supplier Performance Risk System (SPRS) and generate a System Security Plan (SSP).
- While CMMC compliance was only required for certain contracts before, it is now a prerequisite for all DoD contracts. Per OUSD-A&S’s executive summary of the Interim Rule’s impact, compliance required for a given contract is commensurate with the security needs of the kind(s) of information the contractor is likely to encounter.
The most immediate impact of the Interim Rule on businesses is that it requires a re-assessment for NIST SP 800-171, even if the business was recently assessed. Other companies may now have to implement CMMC given the change.
Impacts on FAR and DFARS Requirements
All contractors looking to work with the DoD will need to implement NIST SP 800-171 and CMMC required controls. The interim rule speeds up the timeline within which these companies must comply and changes the way self-assessments are submitted and scored.
FAR and DFARs still exist to safeguard two primary types of information:
- Federal Contract Information (FCI) – Detailed information from or related to contracts between private parties and federal government agencies, not intended for public access
- Controlled Unclassified Information (CUI) – Sensitive documents and details that do not fall under the definition of “classified” but are still protected; examples include select technical, repair, operations manuals, training guides, etc.
Various cybersecurity frameworks pertain to the protection of this information. The two most critical are those directly impacted by the Interim Rule: NIST SP 800-171 and the CMMC, focusing on FCI and CUI, respectively. Let’s take a close look at each one’s requirements.
Implementing NIST SP 800-171 Framework
As noted above, the DFARS Interim Rule Self-Assessment for NIST SP 800-171 compliance involves new methods for scoring and reporting your score via SPRS. However, requirements for compliance have not changed. Besides the FAR and DFARS protections for FCI and CUI, NIST SP 800-171 also protects another data class: Covered Defense Information (CDI).
To protect these various forms of sensitive information, NIST SP 800-171 draws heavily from NIST’s Cybersecurity Framework (CSF). The foundational text ISO/IEC 27002:2013 is also a significant source, as are Federal Information Processing Standards Publications (FIPS) 199 and 200. Drawing on all these inputs, NIST SP 800-171’s scheme comprises 14 “Requirement Families” and 110 “Requirements.” Let’s take a closer look at what each “Family” entails.
Breakdown of NIST SP 800-171 Controls
The Requirement Families and their respective Requirements break down as follows:
- Access Control – Comprising two Basic and 20 Derived Requirements (22 total) that determine limitations on internal and external individuals’ access to FCI, CUI, and CDI
- Awareness and Training – Comprising two Basic and one Derived Requirement (three total) that specify training requirements for internal staff, as well as select strategic partners
- Audit and Accountability – Comprising two Basic and seven Derived Requirements (nine total) that define the frequency of and protocols for regular auditing for staff accountability
- Configuration Management – Comprising two Basic and seven Derived Requirements (nine total) that designate minimum device and software settings to ensure proper security
- Identification and Authentication – Comprising two Basic and nine Derived Requirements (11 total) that further define (along with Access Control) user account protocols
- Incident Response – Comprising two Basic and one Derived Requirement (three total) that sketch the parameters and expectations for programmatic incident management
- Maintenance – Comprising two Basic and four Derived Requirements (six total) that govern the frequency of and protocols for both routine and special event maintenance
- Media Protection – Comprising three Basic and six Derived Requirements (nine total) that specify protections for hardware and software connected to FCI, CUI, and CDI
- Personnel Security – Comprising two Basic Requirements that define procedures for recruitment, hiring, movement, and dismissal of personnel (before, during, after)
- Physical Protection – Comprising two Basic and four Derived Requirements (six total) that restrict individuals’ access to spaces and devices connected to FCI, CUI, and CDI
- Risk Assessment – Comprising one Basic and two Derived Requirements (three total) that govern a company’s programmatic approach to risk analysis and ultimate mitigation
- Security Assessment – Comprising four Basic Requirements that define parameters and expectations for assessment of security systems and practices (as distinct from auditing)
- System and Communications Protection – Comprising two Basic and 14 Derived Requirements (16 total) that define protections for internal and external network traffic
- System and Information Integrity – Comprising three Basic and four Derived Requirements (seven total) that govern overall monitoring for and correction of flaws in security systems
Achieving NIST SP 800-171 Compliance
Complying with NIST SP 800-171 means implementing all 110 Requirements simultaneously. While CMMC allows for a gradual approach, NIST does not. Implementation of such a wide range of controls can be challenging, especially for smaller companies new to the DIB. RSI Security offers robust and scalable NIST SP 800-171 services to help all companies comply.
Our suite of NIST SP 800-171 services is customizable to your company’s exact needs and means. You can begin with gap and patch reporting or broader, generalized vulnerability management. Or, you can start with powerful analytical tools like penetration testing that get to the root of any flaws in your architecture. See our NIST SP 800-171 datasheet to learn more.
Mapping Onto the CMMC Framework
CMMC encompasses all of NIST SP 800-171, as well as other key cybersecurity texts. The CMMC components of the DFARS Interim Rule, or the “CMMC Interim Rule,“ include faster and wider implementation of all five CMMC “Maturity Levels.” These break down as follows:
- Maturity Level 1 – Focused primarily on safeguards for FCI; 17 practices constitute Level 1, and they are the most straightforward practices of all
- Maturity Level 2 – Focused primarily on transitioning into CUI protections; 55 practices are added at Level 2
- Maturity Level 3 – Focused on fully protecting FCI and CUI; encompassing the entirety of NIST SP 800-171; 58 controls are added at Level 3
- Maturity Levels 4 and 5 – Focused on optimizing and moving beyond CUI and FCI protection and into preventative measures for Advanced Persistent Threats (APTs); Level 4 adds on 26 controls, and Level 5 adds the final 15
Across these five levels, the CMMC framework comprises 17 “Domains,” analogous to NIST’s “Families,” and 171 “Practices,” comparable to NIST’s “Requirements.” There are also 43 “Capabilities” which shape the purpose and direction of a Domain. Let’s take a closer look.
Breakdown of All CMMC Controls
The Domains and their respective Capabilities and Practices break down as follows:
- Access Control – Comprising four Capabilities and 26 Practices that limit access to FCI and CUI through authorization and control over individual accounts and access sessions
- Asset Management (AM) – Comprising two Capabilities and two Practices that distinguish controls for the inventorying, indexing, and oversight of sensitive hardware and software
- Audit and Accountability (AU) – Comprising four Capabilities and 14 Practices that define protocols for audits and the logging and security of audit records
- Awareness and Training (AT) – Comprising two Capabilities and five Practices that govern content, regularity, and other specifications of staff awareness training programs
- Configuration Management (CM) – Comprising two Capabilities and 11 Practices that require replacement of default settings and define requirements of new settings
- Identification and Authentication (IA) – Comprising one Capability and 11 Practices that govern (along with AC) user account controls such as credential and session integrity
- Incident Response (IR) – Comprising five Capabilities and 13 Practices that define a systematic approach to identifying, responding to, and recovering from security events
- Maintenance (MA) – Comprising one Capability and six Practices that govern requirements for hardware and software maintenance, routine and in exceptional cases, like after an attack
- Media Protection (MP) – Comprising four Capabilities and eight Practices that govern security controls specific to media-related software and hardware connected to FCI and CUI
- Personnel Security (PS) – Comprising two Capabilities and two Practices that govern secure strategies for recruiting, retaining, promoting, and otherwise moving personnel
- Physical Protection (PE) – Comprising one Capability and six Practices that restrict both proximal and physical access to devices and workstations connected to FCI and CUI
- Recovery (RE) – Comprising two Capabilities and four Practices that govern the systematic approach to recovery of assets and services during and after a compromising event
- Risk Management (RM) – Comprising three Capabilities and 12 Practices that define the systematic approach to the identification, analysis, and overall management of risks
- Security Assessment (CA) – Comprising three Capabilities and eight Practices that govern procedures for company-wide assessment of security architecture’s effectiveness
- Situational Awareness (SA) – Comprising one Capability and three Practices that define baseline requirements for staff’s understanding of the company’s security landscape
- Systems and Communications Protection (SC) – Comprising two Capabilities and 27 Practices that govern protections for communications on internal and external networks
- System and Information Integrity (SI) – Comprising four Capabilities and 13 Practices that ensure efficacy of security controls, including all other Practices, through monitoring
Completing Full CMMC Certification
Achieving CMMC certification requires more than just implementing the required Practices, ranging from “Cyber Hygiene” to “Proactive.” Each Level also requires a given “Process” goal, from “documented” at Level 2 to “optimizing” at Level 5. Given these escalating challenges, CMMC compliance can be complex despite the gradual progression.
RSI Security’s suite of dedicated CMMC services is designed to facilitate certification for any company. As a Certified Third-Party Assessment Organization (C3PAO), we can directly grant certification. We can also help your company install the practices it requires alongside a targeted plan to help maintain them over the long term for optimal cybersecurity.
Full-Service DoD Cybersecurity Advisory
With the major components of the DFARS interim rule explained, your company should be able to implement all required controls and lock down lucrative DoD contracts. But understanding is not the same thing as implementing. Assessing and maintaining all these practices can be quite challenging for companies of all sizes. This is especially true for smaller companies new to the DIB. To see just how simple your NIST SP 800-171 and CMMC compliance can be, contact RSI Security today.