Skip to content
Defense Federal Acquisition Regulation
  • IT

The Interim Defense Federal Acquisition Regulation Supplement Rule and What It Means for You

The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020 and updated to CMMC 2.0 in November 2021. The decision affected more than 300,000 defense industrial base (DIB) members, and many found themselves drowning in all kinds of unnecessary noise surrounding CMMC and its implications on existing and future government contracts.

The chaos increased when the Interim DFARS Rule (DFARS Case 2019-D041) joined the foray on November 30, 2020. This rule mandates all defense contractors to perform cybersecurity self-assessments using the NIST CSF (SP) 800-171 DOD Assessment Methodology to qualify for new defense contracts and renewals of current contracts.

Amid all the deliberations and scrutiny, let’s try to understand the Interim DFARS Rule and its impact on you as a member of the DIB. In this blog, we’ll discuss what’s changed in the Interim DFARS Rule, what it mandates contractors to do and what your next steps should be with this latest mandate by the Department of Defense (DOD).

What changed in the Interim DFARS Rule?

This is not the first time the DOD has emphasized the need for defense contractors to follow the 110 cybersecurity controls defined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, generally referred to as “800-171.”

Even before the adoption of CMMC, DFARS mandated that most defense contractors merely attest that they followed all the controls specified in 800-171. However, many non-compliant contractors and sporadic government audits led to controlled unclassified information (CUI) being leaked.

In an effort to counter potential security threats, the Interim DFARS Rule requires contractors to complete self-assessments and formally score their 800-171 compliance status based on a specific scoring system developed by the DOD. The contractors must then upload the self-assessment score to a federal Supplier Performance Risk System (SPRS) database to qualify for new contracts and renewals.

Now that you understand the crucial changes in the Interim DFARS Rule, let’s discuss how the rule’s scoring works.

Self-assessment and the scoring matrix

During self-assessment, contractors are expected to rate themselves based on the implementation of each of the 110 NIST (SP) 800-171 cybersecurity controls. The CMMC requires DOD contractors to conduct these self-assessments once every three years unless anything necessitates a change. Because contractors are subject to DOD and prime contractor audits at any time, it’s critical to maintain cybersecurity controls and have recent documentation validating that everything has remained secure and compliant.

The assessment scoring begins with a perfect score of 110 for each NIST 800-171 control. Points are then subtracted for non-implementation of controls. Each control holds a weighted point value ranging from one to five based on its significance.

No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption. Although NIST does not prioritize security requirements, it declares that some controls bear a higher impact on a network’s security.

Here are four things you must remember when it comes to self-assessment:

  • If you don’t receive a perfect score of 110 points, you must create a Plan of Action and Milestones (POA&M) document outlining how the deficiencies will be addressed and the failing items remediated. You can update your score when the shortcomings are addressed and remediated.
  • As a contractor, you must also develop a System Security Plan (SSP) detailing implemented NIST 800-171 controls, such as operational procedures, organizational policies and technical components.
  • Neither SSPs nor POA&Ms are uploaded to the federal database but must be available for audit.
  • Upon concluding a self-assessment, you must submit your score to the governmental SPRS database within 30 days.

Now that we’ve established everything you must do, there’s no time to waste. Let’s talk about how we can help.

Get assessment-ready now!

To qualify for new contracts and renewals while CMMC is being rolled out, you must start gearing up to conduct a thorough and accurate self-assessment and do whatever it takes to fulfill today’s cybersecurity requirements. This way, you will comply with the Interim DFARS Rule and be prepared for every future development with respect to CMMC.

Navigating through the complexities of CMMC can be both complex and overwhelming. That’s why having an experienced partner like us can help ease the pressure. Contact us today to get our security experts in your corner.


"Great staff! immediately responsive to our urgent repair requests. They were meticulous in diagnosing our issues and made the repairs as quickly as they could. They are a pleasure to work with! Speros provided emergency repair service during a weekend when our cabling suffered accidental damage. Speros dispatched two technicians that worked tirelessly to restore the multiple severed fiber cables.  It was not long before the entire campus was back to normal.  It was exceptional and timely service by Speros."

Joan Strother
Savannah Country Day

"Speros has been our law firm's primary internet service provider for 10+ years. Rarely do I need to ask for a service work order because they are on top of regular maintenance. Recently, I was getting requests to reboot following critical software, asked to set reboots to be automatic after midnight, so it did not disrupt our workdays. Within 30 minutes of my request, it was done. THAT is good service. THANK YOU, SPEROS Team."

Doug Andrews
Andrews & Sanders Law Firm

"Have worked with Speros for over two decades mostly for old school landline requirements of my medical office.
Now have needed a website design.
In these extremely difficult times for all, I have found Heather, Esther, and Mary Elizabeth a phenomenal team to work thru this new endeavor for my private practice's needs."

Dr. Richard Roth
Roth Aviation Medical Services

"I am starting my own medical practice and have chosen Speros to assist with my logo design, website, IT support and phone systems. Great experience. The team at Speros is knowledgeable and professional."

Dr. Ismary De Castro
Savannah Endocrinology

"Everyone at Speros was very friendly and helpful. They communicated with our existing software/hardware management company and made it out to work on our network quickly on short notice, and had the whole issue solved in very little time. Will use this business again for our network needs. The tech that came out was amazingly easy to work with and was respectful of our hospitals covid-19 policies."

Anthony Phoumivong

"The biggest benefit of having Speros install and maintain our networking, servers, and backups have been the reliability. They provide professional, personalized service and have rapid response times. You can trust Speros to provide you with fast, professional service, and to resolve your complex issues quickly!"

Paul Waldhour
Paper Chemical Supply

"The biggest benefit of having Speros as our IT provider is their fast response times. Speros stays on top of your issues, and they follow through to make sure your problems are resolved correctly. They are a pleasure to work with!"

Ann Cowart
Oelschigs Nursery