September 1, 2022

Last Updated on January 18, 2024

The US Department of Defense (DoD) recently announced that the new DFARS 7019 and DFARS 7020 clauses pertaining to CMMC, which first went into effect with the November 2020 “interim rule,” will be finalized in December 2022.

This is another red flashing alert that time is running out for DIB orgs that handle controlled unclassified information (CUI) to comply with NIST 800-171 per current DFARS regulations—and that compliance scrutiny will continue to increase. Firms that fail to meet the DoD’s requirements are putting their defense-related business at significant risk.

What to expect

Since the soon-to-be-final DFARS 7019 and DFARS 7020 clauses are already in effect, not much is really changing. DIB orgs that handle CUI and are subject to DFARS 7012 are already obligated to:

  • Conduct a self-assessment of their NIST 800-171 compliance
  • Report their self-assessment score to the DoD’s Supplier Performance Risk System (SPRS) database

With the finalization of DFARS 7019 and DFARS 7020, the DoD and its prime contractors will rely entirely on subcontractors’ SPRS scores to evaluate and compare their cybersecurity postures. If your company has not submitted a score to SPRS, this is a serious liability in your efforts to win new defense contracts and keep current contracts.

More and more primes are requiring subs to formally report on their cybersecurity postures, especially since the new DFARS clauses formalize the “flowdown” process making primes responsible for security across their supply chains. The DoD is also auditing more DIB orgs on their NIST 800-171 compliance, as well as randomly reviewing the validity of hundreds of SPRS scores. Companies that misrepresent or cannot substantiate their score face significant penalties not only from the DoD, but also through the US Department of Justice (DoJ) Civil Cyber-Fraud Initiative (aka the False Claims Act).

What to do now

If you handle CUI and wish to continue doing business in the US defense sector, you need to bring your cybersecurity posture into verifiable compliance with NIST 800-171 as soon as possible.

This process starts with a detailed, accurate and unbiased NIST 800-171 self-assessment, including submitting your score and documentation to SPRS so it is available when primes and/or the DoD request it.

If you are not yet fully NIST 800-171 compliant, be sure to include Plans of Action & Milestones (POA&Ms) to document any shortcomings. You’ll also need to create a System Security Plan (SSP) as part of your self-assessment process, as this is required for NIST 800-171/CMMC compliance.

Get ready for the CMMC rollout

The DoD now expects to issue interim final rules to codify the CMMC 2.0 framework by March 2023, with CMMC compliance requirements being included in contract solicitations as early as May 2023. To participate in those contracts, you will need to have a strong self-assessment in SPRS, with a third-party audit also on the horizon for many firms.

In short, CMMC 2.0 compliance is likely to be a requirement in less than a year, which is sooner than many DIB orgs have anticipated. If you are not already provably CMMC compliant you should be actively working to remediate your compliance gaps, while keeping your SPRS score and POA&Ms updated.

Next steps

With cybersecurity expertise in short supply, many companies will engage with consultants to attain the needed strategic and tactical skills. These skills will be increasing demand in the months to come, making it all the more important to begin identifying and addressing any NIST 800-171/CMMC compliance concerns.

To speak with a CMMC compliance expert about your business goals and current status, contact Pivot Point Security.


Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!