13 Jan How MSPs Can Help Clients Comply With the Interim Rule
The Department of Defense (DoD) rolled out its new cybersecurity framework, the Cybersecurity Maturity Model Certification (CMMC), in June 2020 to augment the department’s data protection efforts throughout its supply chain. However, because CMMC will require five years to be fully implemented, the DoD instituted an interim rule to help safeguard all Controlled Unclassified Information (CUI) during the rollout phase. The rule came into effect on November 30, 2020.
This interim rule was designed as a cybersecurity stop-gap to ensure all contractors who work on any new DoD contracts follow best practices. The rule requires all contractors and subcontractors to perform a cybersecurity self-assessment, score the assessment according to a specific methodology, and generate several documents that must be submitted to the DoD.
The self-assessment consists of evaluating the implementation of 110 different cybersecurity controls defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-171. DFARS clause 252.204–7019 requires organizations to perform these self-assessments of their cybersecurity efficacy and compliance status with the existing DFARS clause 252.202-702. DFARS 252.204-7020 stipulates the NIST (SP) 800-171 DoD Assessment Methodology that contractors must use to conduct the self-assessments.
Scoring the Assessment
The DoD assigned a scoring system for the self-assessments to standardize how contractors rate themselves. The scoring methodology begins with a “perfect” score of 110 for each of the NIST (SP) 800-171 controls which the organization must implement. Points are deducted for every control that isn’t implemented. Each deduction holds a point value ranging from one to five based on the individual control’s importance. No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption. The score must be posted to the governmental Supplier Performance Risk System (SPRS) database within 30 days of completing the assessment.
Many subcontractors are small businesses that may not know how to perform the assessment or may not have the resources to do so. Even if they do, they may not know how to implement the changes needed to improve their score. With the right tools, MSPs and MSSPs can quickly execute the assessment and generate a DoD-approved scorecard.
The System Security Plan
A contractor must also develop and submit a System Security Plan (SSP) that catalogs the details of their implemented NIST 800-171 security controls, such as operational procedures, organizational policies, and technical components. And again, many small businesses don’t possess the necessary IT knowledge to complete the document. Even if they do, creating the SSP could take time away from other responsibilities, causing operational issues. With the right tools, you can have a comprehensive SSP automatically generated directly from the 800-171 assessment.
What if a Contractor Does Not Have a Perfect Score?
If the assessment identifies any control that has not been fully implemented, they must provide a Plan of Action and Milestones (POAM) document as an addendum explaining how the deficiencies will be addressed and when the implementation will be complete. Organizations may also post updated scores as previously deficient controls are addressed and remediated.
Putting It All Together
Between now and the end of 2025, the Interim Rule will remain in place while CMMC continues to be rolled out. As Certified Third-Party Assessors (C3PAO) are trained, and more contractors obtain their CMMC certification, CMMC requirements will start appearing in new government contracts. DoD contracts will establish CMMC requirements at varying levels – from Level 1 (least secure) to Level 5 (most secure) – depending on the nature of the contract. Any contractors who want to bid on DoD contracts will need to complete a formal assessment by a C3PAO. Most contractors have time to obtain their CMMC, since only a handful of test contracts will carry CMMC certifications over the next few years. However, the pressure is certainly on to comply with the CMMC Interim Rule.