Why DFARS Interim Rule is important and how it connects to CMMC
With the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) looming on the horizon, companies in the Defense Industrial Base (DIB) are starting to think about how they can get compliant by 2025. While 2025 might feel a long way off, the September 20, 2020 “Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)” (Interim Rule) makes compliance more immediate.
What is the DFARS Interim Rule?
Under the Interim Rule, companies that want to bid on DoD contracts need to complete assessments to prove their cybersecurity controls work. While DIB members have some leeway in getting CMMC compliant, the Interim Rule’s compliance date was November 20, 2020.
Under this new requirement, companies need to meet one of 3 assessment levels:
- Basic: self-assessment documenting current control implementations
- Medium: assessments DoD personnel review assessment documenting control implementations
- High: trained DoD personnel conduct the assessments, which include documentation such as recent scanning result, system inventories, configuration baselines, and proof of multifactor authentication use
How is the Interim Rule connected to CMMC?
CMMC is a maturity model, in essence moving “leveling up” like in a video game. Meanwhile, the DFARS Interim Rule is a set standard of controls you need to have in place. Additionally, CMMC draws from multiple standards, including Federal Acquisition Regulation (FAR), DFARS, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
The type of information you collect, store, transmit, and process defines your CMMC Level. However, the DFARS Interim Rule is not a maturity model. It lists specific requirements for meeting compliance. Thus, while it is part of the DoD’s CMMC goals, it goes further than CMMC for some organizations.
Understanding the Interim Rule Scoring Methodology
This is where the Interim Rule and CMMC interconnectedness gets confusing. For CMMC, only organizations managing Controlled Unclassified Information (CUI) need to be compliant to Level 3 or above. However, the Interim Rule focused on “controlled technical information,” defined in DFARS 252.204.7012 as:
Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Basically, if your company sells technology to the DoD, you need to get Interim Rule compliant quickly.
The Scoring Methodology works like this:
- Companies all start out with a perfect score of 110.
- The DoD deducts 5 points when a company is missing most “Basic Security Requirements” or a subset of “Derived Security Requirements.”
- The DoD deducts 3 points when a company is missing a subset of “Basic Security Requirements” and another subset of “Derived Security Requirements.”
- The DoD deducts 1 point when a company is missing any of the other listed “Derived Security Requirements.”
To bid on a contract, you need to have a total score of 110.
Both the Interim Rule and CMMC Level 3 are based on NIST 800-171. So, any company that needs to meet Interim Rule requirements to bid on a contract needs to have CMMC Level 3 controls in place.
Using SteelCloud to Get Compliant Faster
The Security Technical Implementation Guidelines (STIGs) set out by the Defense Information Systems Agency (DISA) are a group of controls used to harden systems. From a technical level, STIGs give you the controls necessary to secure your systems, software, and hardware.
However, STIGs are notoriously difficult to implement for various reasons. Sometimes, one STIG conflicts with another, leading to system downtime. Additionally, DISA updates these every 90 days so as soon as you get compliant, you need to start over again. Managing them manually becomes time-intensive and overwhelming. Also, the combination of labor and potential conflicts leads companies to put “waivers” in place, basically agreeing to accept non-compliance. Problematically, all of these challenges make it difficult for companies to stay compliant because even when they have the controls in place, they struggle to document their manual activities.
SteelCloud’s patented ConfigOS automates STIG compliance. Our software automatically scans and remediates the burdensome STIG controls, ensuring that no conflicts exist while providing a single source of waiver documentation for effective and efficient STIG compliance.