Effective January 1, 2022 DGC merged with PKF O’Connor Davies (PKFOD), the 27th largest accounting and advisory firm in the U.S. Click here for more information.
The Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule is set to take effect on November 30, 2020 and has an unexpected surprise for contractors subject to DFARS 252.204-7012.
The new clauses introduced in the Interim Rule are:
DFARS 7019, if included in your RFIs, RFPs, contracts, purchase orders, task orders, or delivery orders, requires you to have a current assessment (not more than 3 years old) of your NIST 800-171 compliance on file with the Supplier Performance Risk Management System (SPRS). You cannot take award of work with this clause without a current record in SPRS.
DFARS 7020 defines three types of assessments pursuant to DFARS 7019: A basic assessment, medium assessment, and high assessment. All three assessments must be performed according to the DoD DCMA DIBCAC Assessment Methodology and weighted scoring system. A basic assessment is a self-assessment performed by the DIB contractor. Medium and high assessments can only be performed by the Defense Contract Management Agency's (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) personnel using NIST 800-171A.
DFARS 7021 is the anticipated Cybersecurity Maturity Model Certification (CMMC) clause. When 7021 is included in solicitations, you must have a current CMMC certification to take award of the work. The CMMC certification ecosystem is expected to go online in early 2021 and inclusion of 7021 in contracts will occur through September 2025.
Flowdown Requirements Reinforced
Contractors must flow down the entirety of DFARS 7012, DFARS 7020, and "the substance" of DFARS 7021 to their Tier 1 subcontractors. Effective November 30, 2020, subcontractors receiving CUI must not be awarded work unless they have either a current assessment on file with SPRS under DFARS 7019/7020 or a current CMMC certification. The contractor's responsibility is to uphold these flowdown requirements, and contractors will be held responsible for their performance.
With the introduction of DFARS 7019 and 7020, the Department of Defense appears to be bridging the gap between the current regulatory regime and the eventual supply chain-wide implementation of CMMC. Given the five-year implementation path of CMMC, some DIB contractors will find they are not forced to obtain a CMMC certification until 2025. The DoD has created 7019 and 7020 as an interim step to ensure contractor compliance with the existing NIST 800-171 security requirements.
The Interim Rule becomes final on November 30, 2020. After that, DIB contractors subject to NIST 800-171 and those who see 7019/7020 in solicitations will not be able to take award of future work without at least a basic assessment on-file in SPRS. However, subcontractors may find themselves subject to more aggressive timelines enforced by prime or higher-tier companies.
If you have questions about what these regulatory changes mean for your organization or if you require assistance with your basic assessment for SPRS, please contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / firstname.lastname@example.org.
You can also visit our coronavirus web page at dgccpa.com/coronavirus which is frequently updated with new resources to help you deal with the impact of the coronavirus on you and your business.