Since the release of the U.S Department of Defense interim DFARS compliance rule to implement DoD contractors’ cybersecurity assessment models and CMMC framework, government contractors have many questions. The DoD assessment model and CMMC have been put in effect with the prime objective to safeguard Unclassified information managed within the DoD chain.
The DFARS rule requires that contractors and subcontractors dealing with the DoD or handling Controlled Unclassified Information should prove that they comply with NIST 800 171. Now, all government contractors will have to provide evidence that they fulfill the compliance regulations and their IT infrastructure meets the cyber hygiene provisions as mentioned in the NIST 800 171.
Here are the answers to some frequently asked questions about DFARS rule.
Why is there a need to implement DFARS interim rule?
Earlier, the DoD contractors and subcontractors didn’t need to provide evidence that they comply with the NIST 800 171. The new rule has been made effective in order to secure and safeguard Controlled Unclassified Information and intellectual property of the DIB. The new rule will ensure there is no damage to the DoD’s technological assets.
With the new DFARS, the DoD aims to provide an incentive to the contractors who meet contractual guidelines and encourage more contractors to do the same. This, in turn, will secure the entire DoD supply chain and prevent cybersecurity breaches.
How are Third-Party Provides incorporated in the new DFARS rule?
Most contractors and subcontractor rely on Managed Service Providers for the government it solutions. According to the new DFARS rule, the organization will have to attest the MSP they have hired to handle CUI also follow higher security standards.
Can a third party, such as an MSP, submit DFARS documentation on your behalf?
Currently, there is no provision for the MSP to submit documentation on behalf of the contractor. The contractor is required to submit the documentation on their own. The managed service provider can help the contractor with the documentation material, but it’s the contractor’s responsibility to check the documents’ accuracy. Since government conducts medium and higher-level assessments, they submit the results.
Should a contractor submit documentation for previous self-attestations?
Previously, there was no need to provide evidence of past assessments; the new DFARS rule has made it mandatory for the DoD contractors to submit the proof of Basic Assessment. The contractor should submit all the reports to the Supplier Performance Risk System.
How will the DFARS rule integrate with Cybersecurity Maturity Model Certification?
The DFARS rule is built upon NIST SP 800 171 and the DoD Cybersecurity Assessment model. These models make it mandatory for the contractors to implement the CMMC framework and comply with the CMMC. CMMC compliance adds an extra layer of assurance to the Department of Defense that the contractors are taking necessary measures to safeguard sensitive data.
What are the consequences of potential errors in an assessment?
Any discrepancies observed in the self-attested documents can force the DoD to enforce the FCA or False Claims Act. This can lead to civil as well criminal liability of the contractor that provides false reports and assessment information. …