What the Interim Rule Means for DoD Contractors

Starting December 1, 2020, existing DoD contractors will no longer be awarded new contracts unless they are in compliance with the newly established Interim Rule. This new rule strives to bridge the gap between DFARS compliance and the long-awaited new CMMC cyber security regulations.

Here are some key points covering what contractors need to know about this rule and the new requirements it enacts.

  1. What is the Interim Rule?

The Interim Rule is a step along the path to full implementation of the CMMC, the new compliance standard being enacted in the Department of Defense supply chain to uphold high standards of cybersecurity. In essence, the Interim Rule amends existing regulations and introduces a new mandatory assessment methodology.

The NIST SP 800-171 DoD Assessment Methodology is a standardized approach to assessing the degree to which contractors are successfully implementing NIST 800 cybersecurity requirements.

Via the interim rule, changes will be made to the existing Defense Federal Acquisition Regulation Supplement (DFARS) in order to phase in implementation of the new assessment methodology and, eventually, the CMMC. These intermediary steps will be in place for some time, as full implementation of the CMMC is not expected to be achieved until 2025.

2. When will compliance with the Interim Rule be required?

The Interim Rule was issued on September 29, 2020, and comes into effect on November 30, 2020.

Full implementation of the CMMC, by contrast, is not expected to be achieved until 2025.

Existing DoD contractors who are not in compliance with the Interim Rule by December 1, 2020, will no longer be awarded new contracts until such time as compliance is met.

3. How can you prepare for what comes next?

The first step in preparing for what comes next is for all DoD contractors and subcontractors to familiarize themselves with the relevant security requirements ahead of the deadline.

Contractors subject to the DFARS 252.204-7012 clause will need to receive an Interim Rule scored assessment. This can be done as a self-assessment, as previously done, but it now must be scored according to stricter standards evaluating 110 controls and then properly reported. Many organizations choose to work with a company offering DFARS compliance consulting services to stay on top of these new changes and ensure continued compliance.

Such a company can conduct a third-party readiness review that can provide you with your scored assessment and assess the degree of work and adjustment required in order to bring current practices into line.

Using NIST 800-171 or CMMC Maturity Level practice standards, these reviews can identify areas of your business which need a quick adjustment to update your cybersecurity, vs. which areas of your business will require more substantial investments of time and resources.