What Is The CMMC Interim Rule?

The Department of Defense recently announced the introduction of a new Interim Rule as an amendment to Defense Federal Acquisition Regulation Supplement (DFARS). This Interim Rule works to integrate a new Assessment Methodology and Cybersecurity Maturity Model Certification framework that will expand the current self-assessment methodology.

The goal in implementing this new rule is to protect the DoD supply chain by increasing cybersecurity across the board while CMMC regulations are in the process of being enacted.

Why Is the Interim Rule Needed?

CMMC will be building on and replacing current DFARS regulations for DoD contractors in order to increase supply chain security. However, CMMC will take up to five years to be fully implemented, while greater security is needed now to protect the Department of Defense. Past and present cyber attacks have shown that even the strict security measures required by DFARS are not sufficient.

The Interim Rule has been created to bridge this gap. It will build some of the stricter measures that will be required under CMMC into current DFARS requirements, and it will go into effect December 1, 2020.

Changes Included in the Interim Rule

So what are the main changes that the Interim Rule is going to enact? The most important updates to be aware of are:

  • All DoD contractors will now have to complete a scored self-assessment and report it to SPRS.
  • There will be an increase in audits to ensure that contractors are complying with the necessary measures.

Essentially, under the Interim Rule, there will be an increase in accountability required of contractors. To remain eligible for contracts, you’ll need to not only follow the required measures, but show that you are fulfilling the cybersecurity standards laid out by completing the scored assessment and reporting it accordingly.

The Scored Self-Assessment

Contractors were previously required to complete a self-assessment. This isn’t changing, but the way contractors will be held accountable is; namely, instead of merely saying you’ve completed the assessment now, you must assign yourself a score and then report it to the SPRS.

There are 110 requirements in the NIST 871 that contractors will score themselves on, and each will be assigned a number (generally from 1–5) that will be subtracted from the total score if that requirement is not filled.

In addition to the scored portion of the assessment, you must complete a System Security Plan (SSP) and a Plan of Action and Milestones (POAM). These will describe the state of your cybersecurity network as it currently stands and outline how you plan to achieve the necessary compliance with the new Rule.

Prime Contractors must also ensure that all subcontractors and suppliers in their supply chain are in compliance with this standard.

Next Steps for DoD Contractors

In order to continue getting contracts and therefore keeping business flowing, all DoD contractors will have to be compliant with the new Interim Rule by the 1st of December. That means you will need to get a scored assessment now, or as soon as possible, so that you can be ready by that date.

Tim Brennon, CEO of SysArc—a Managed Service Provider that helps DoD contractors prepare to become CMMC compliant, including by complying with the new DFARS Interim Rule—says, “With more frequent audits on the way, contractors will be held more accountable for their own security. It’s best to prepare for these changes immediately by completing your scored assessment as soon as possible.”