As the next installment in this series on cybersecurity, this third article will give you a better understanding of the Department of Defense’s DFARS interim rule and its requirements.
Today's read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today's November 2022 Vacuum print edition. Refresh with part 1 and part 2 in earlier editions.
DFARS Interim Rule
On September 29, 2020, the Department of Defense (DoD) published the DFARS (Defense Federal Acquisition Regulation Supplement) interim rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, with an effective date of November 30, 2020. These new clauses are an extension of the original DFARS 252.204-7012 clause that has been required in DoD contracts since 2018.
The interim rule implements the NIST SP 800-171 DoD Assessment Methodology and the CMMC (Cybersecurity Maturity Model Certification) framework. The interim rule requires contracting officers to take specific action prior to awarding contracts, giving task or delivery orders, or extending an optional period of performance on existing contracts on or after November 30, 2020.
DFARS 252.204-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements
All DoD contractors in the Defense Industrial Base (DIB) must complete a self-assessment using the DoD’s NIST 800-171 Assessment Methodology and generate a points-based score. If the self assessment score falls below 110, contractors are required to create a POAM (Plan of Action and Milestones) and indicate by what date the security gaps will be remediated and a score of 110 will be achieved as part of the Supplier Performance Risk System (SPRS). At the time of a DoD contract award containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.
DFARS 252.204-7020 Clause: NIST 800-171 DoD Assessment Requirements
Along with the 252.204-7012 and 7019 clauses, the 7020 clause is approved for use in all DoD contracts. This new clause requires that contractors provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level Assessment. The higher level Assessments are the Medium and High Assessments. The self assessment conducted as part of the 7019 clause is called a Basic Assessment.
A Medium Assessment is conducted by DoD personnel and will include a review of your System Security Plan (SSP) and how each of the requirements are met and to identify any language that may not adequately address the security requirements.
A High Assessment is conducted by DoD personnel onsite at the contractor’s location and will leverage the full NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information) to determine if the implementation meets the requirements by reviewing evidence and/or demonstration such as recent scanning results, system inventories, baseline configurations and demonstration of multi-factor authentication and/or two-factor authentication.
Along with that, this rule also requires that contractors flow down their requirements from 7019 to their subcontractors and suppliers. Just as the DoD may choose not to award a contract due to noncompliance, you may not be able to use a subcontractor or supplier due to their noncompliance.
DFARS 252.204-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements
Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.
Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.
This DFARS clause establishes CMMC into the federal regulatory framework. This requires that CMMC is to be included in all contracts, tasks or orders, and solicitations, with very few exceptions. The level of CMMC that is required will be determined by the DoD and added into the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and the requirements must be trickled down to your subcontractors and suppliers. The CMMC certification is required at the time of contract award.
Watch For the Next Cybersecurity Desk Installment
My next article, number four in the series, will be: “General Cybersecurity Best Practices and What You Should and Should Not Do.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer.'; Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com