3 Clauses Added To DFARS That DoD Contractors Need To Understand
Have you reviewed the Interim Final Rule released by the DoD at the end of September? If you plan to keep bidding on defense contracts, you need to get up to speed.
The DoD recently released their Interim Final Rule. In addition to setting a deadline for NIST compliance and a timeline for CMMC compliance, the document also laid out a number of additional DFARS clauses.
Do you know what these clauses are, and what they mean for you as a defense contractor?
What Clauses Have Been Added To DFARS?
While the Interim Final Rule was largely concerned with NIST and CMMC, the document does include some other important details to take note of.
In particular, it adds three new DFARS clauses:
DFARS 252.204-7019
This clause sets a requirement for an assessment of NIST 800-171 in new contracts from Nov. 30, 2020 onward. Building off the DCMA program, it will act as the bridge to CMMC over the coming years.
Assessments fall into three categories:
- Basic (self-assessment)
- Medium (conducted by DCMA)
- High (conducted by DCMA)
The results of any such assessments are required to be uploaded to the Supplier Performance Risk System (SPRS). The SPRS will act as the central database, holding results of NIST assessments and the CMMC certifications for DoD review.
DFARS 252-204-7020
This clause lays out two requirements:
- Contractors are to provide access to “facilities, systems, and personnel” in support of assessments.
- “Subcontractors have results of a current assessment in SPRS prior to contract award.”
These requirements consolidate all assessment-associated info and ensure that assessors can access systems for the purpose of an assessment.
DFARS 252-204-7021
This clause requires CMMC to be included in all contracts moving forward from the deadline. The details of CMMC compliance are in line with previous versions released by the DoD.
Furthermore, it’s important to note that DFARS 252.204-7012 hasn’t been modified. This means the underlying requirements for FedRAMP Moderate, NIST 800-171, and clauses (c) through (g) will continue unchanged.
How Much Time Do I Have To Comply?
While the Interim Final Rule takes effect on Nov. 30, 2020, this will not be an overnight process.
You will be required to be NIST compliant by that time, but CMMC compliance will be rolled out after the fact. There is a five-year time frame detailed in the Interim Final Rule to walk contractors through CMMC compliance.
What Should I Expect Of The Certification Process?
While the DoD and the CMMC-AB are doing their best to lay out a careful and straightforward process, you can expect road bumps. After all, there are over 200,000 companies that will need to eventually be certified, but at the moment, there are less than 100 auditors.
Throughout 2021, it is expected that the CMMC-AB will be assisting with pairing C3PAOs with contractors that require certification in order to bid on DoD contracts. During that time, you will not be able to seek out a C3PAO outside of these pairings.
At some point, the CMMC-AB Marketplace will go live and you will be able to choose your own C3PAO, but don’t count on that in the short term. In the meantime, Advantage Industries can help…
Book Your Assessment Now And Get A FREE Dark Web Scan
Let’s get started right away.
CLICK HERE to book your assessment.
If you do, you’ll receive a FREE Dark Web scan, and furthermore, 4 out of 5 businesses that Schedule a meeting with us can also qualify for a FREE network security scan. This scan will give you valuable information on the state of your network and the scale of remediation you can expect.
Put simply, this is the best way to start your NIST and CMMC compliance process ahead of the deadline at the end of November.