• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
The CMMC DFARS Interim Rule Explained

The CMMC DFARS Interim Rule Explained

January 18, 2021 Posted by Kate Upton CMMC

On September 30, 2020, the DoD revealed a new set of proposed clauses for the Defense Federal Acquisition Regulation Supplement-known as the DFARS-in an interim rule (DFARS Case 2019-D041). These new clauses seek to close the gap between security and compliance for the Defense Industrial Base (DIB). The interim rule introduces the CMMC requirement, which had been expected for well over a year, but the additional clauses this interim rule introduced were widely unexpected.

Before explaining the new clauses, it is relevant to address the existing -7012 clause. Since December 2017, this clause has mandated compliance with NIST 800-171 for companies handling DoD Controlled Unclassified Information (CUI). The -7012 clause is approved for use in all DoD contracts (with a few exceptions) and is found in contracts that do not contain CUI.  The new set of clauses in the DFARS can be viewed as an expansion of the -7012 clause to create more stringent guidelines for the DIB.

-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements

All companies who handle DoD CUI must complete a self-assessment using the DoD Assessment Methodology and generate a score.  Companies must then input that score and the date at which they plan to remediate all gaps to the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new -7019 clause, a DoD contracting officer will simply verify a score has been uploaded. At this time there is no baseline score requirement, which means that any score is sufficient to meet the -7019-clause requirement.

-7020 Clause: NIST SP 800-171 DoD Assessment Requirements

Along with the -7012 and -7019 clauses, this new clause is approved for inclusion in all DoD contracts.  This new clause requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment. The higher-level assessments are the Medium and High assessments.  The self-assessment conducted as part of the -7019 clause is called a Basic Assessment. 

  • Medium Assessment: conducted by DoD personnel and will consist of a review of the system security plan (SSP) description of how each requirement is met to identify any descriptions which may not properly address the security requirements.  
  • High Assessment: conducted on-site by DoD personnel at a Defense contractor’s location and leverages the full NIST 800-171A assessment methodology to determine if the implementation meets the requirements by reviewing appropriate evidence and/or demonstration (e.g., recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).

Additionally, this rule requires that contractors flow down their requirements established in -7019 to their subcontractors4

-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements

This new DFARS clause establishes CMMC into the federal regulatory framework. This requires CMMC to be included in all contracts, task orders, and solicitations (with few exceptions). The level of CMMC required will be determined by the DoD and inserted into the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and flow down necessary requirements to subcontractors. The CMMC certification at the appropriate level is required at time of contract award.

Have a CMMC Compliance Question? Contact Us. We Can Help!

Tags: CMMC CertificationCMMC Readinessnist 800-171
Share
0
Kate Upton

About Kate Upton

Kate Upton is the IT Government Compliance Team Lead at OCD-Tech. Kate has been with the firm since May 2019. Before joining the firm, Kate received her Bachelor’s degree in Political Science & Legal Studies from the University of Maine and went on to earn a Master’s degree from Northeastern University in Strategic Intelligence. She dedicates her time at the firm to meeting the unique compliance needs of clients in the Defense Industrial Base with projects including CMMC, NIST 800-171, NIST 800-53, and DFARS rules. Kate lives in Portland, Maine with her dog Lucy.

You also might be interested in

The DFARS Deadline Has Passed

The DFARS Deadline Has Passed

Jan 3, 2018

Did you miss the DFARS cybersecurity deadline of December 31,[...]

cyber security

CMMC-AB Begins to Approve Third-Party Auditors

Jan 19, 2021

The CMMC Accreditation Body (CMMC-AB) has approved just over 20 CMMC Third-Party Assessor Organizations (C3PAOs) and nearly 100 Provisional Assessors.

CMMC Compliance Have Prevented Damage from Solar Wind Attack

Would CMMC Compliance Have Prevented Damage Caused by SolarWinds Attack?

Jan 20, 2021

The Cybersecurity Maturity Model Certification (CMMC) has always been clear about its mission: to create more secure information systems within the Defense Industrial Base (DIB).

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next