Understanding the DFARS 7019 Clause in Detail

The Department of Defense issued its long-awaited DFARS Interim Rule in September 2020, which got implemented on 30, 2020. The primary goals of this rule are to establish CMMC as the innovative cybersecurity model for DoD contracts and tell subcontractors that they should conduct a self-evaluation based on NIST 800-171 and submit their results to the DoD. The Interim Rule aims to solve defense firms’ safety and accountability deficiencies and offer an onramp for the implementation of CMMC, with these twin goals.¬†

The restrictions outlined in the Interim Ruling will affect any work done by military contractors, including prime and freelancers, that is subject to DFARS 252.204-7012. Defense vendors handling CUI must follow NIST SP 800-171 cybersecurity procedures under the DFARS -7012 clause. Contractors that exclusively manage commercial off-the-shelf materials (COTS) are exempt from the Interim Rule’s obligations. The Interim Rule adds three additional clauses (7019, 7020, and 7021) aimed at bolstering NIST SP 800-171’s self-evaluation mandates while, at the same time, facilitating the migration to CMMC. Since this can be a complicated task, most contractors rely on DFARS consultant Virginia Beach.

The DFARS 7019 is one of three interconnected clauses added to the DFARS by the Department of Defense’s new guideline. These additional provisions supplement the existing DFARS 252.204-7012 clause.

The interim regulation, which takes effect on November 30, 2020, aims to improve cybersecurity throughout the US DIB. The issue has been that, under DFARS 7012, many vendors are self-certifying DFARS cybersecurity adherence without moving their mechanisms into conformity in a verifiable manner.

It outlines the standards that contractors must satisfy in order to correctly submit and retain their self-evaluation of cybersecurity compliance with the NIST 800-171 standard under DFARS 7012. The criteria for contracting officers to grant or refuse contract grants depending on a supplier’s stated evaluation findings are likewise outlined in DFARS 7019.

The DFARS 7019 clause informs DIB providers that they must analyze and report their internal NIST 800-171 adherence in the manner of a less than three-year-old SPRS score. Scores will be exclusively provided to the applicant and the Department of Defense and can be made accessible to others upon demand.

While the DFARS Interim Rule does not define baseline self-evaluation scores, all firms seeking to engage with the Department of Defense should be aware that risk-based analyses will be used to assist in selecting which enterprises will be awarded contracts. If a firm has a low self-evaluation score, it makes sense that the DoD will view it as a larger security threat than a rival with a higher score.

Firms who have a contemporary SPRS Basic, Moderate, or Advanced evaluation on file and employ the NIST SP 800-171 DoD Assessment Methodology, as well as System Security Plan and, if necessary, a POA&M will most likely fulfill the DFARS 7019 clause criteria. This procedure will need to be completed as soon as possible by other DIB vendors.

Why is it so essential to get things done quickly? Since the new DFARS 7019 provision will feature in “all intercessions” in the future, with the exception of those solely for the procurement of COTS items, this covers not only deals but also contract revisions and renewals.…

Things to know before preparing for CMMC Level 3 Readiness

Cybersecurity Maturity Model Certification has become a necessity for businesses wanting to work on government contracts. There is a whole process to achieve cybersecurity maturity that DoD has to follow. To get Level 3 certification, a business must formally record and manage three procedures. These procedures are applicable to all 17 CMMCs. For each of the 17 CMMC domains CMMC consulting VA Beach, write a high-level policy description. You can choose to generate 17 individual documents or a single complete document by combining the policy statements.

In this blog, we will look into the policy statement format for CMMC level 3 readiness.

1. Purpose – a concise statement of the document’s aim

This policy, for instance, specifies the criteria for securing and auditing access to any organization’s IT systems and data assets.

2. Scope – who is this policy statement applicable to?

This rule applies to all employees, contractors, and suppliers who manage and administer a DoD’s systems and networks and those in charge of developing and executing access control methods within the IT organization.

3. Assign important duties connected with the policy, such as creating policy requirements, implementing the policy, administering the policy, and generating and updating procedure and method documentation.

4. Policy Statement – a high-level declaration that describes how the organization will apply the domain and related activities.

5. Signature of the executive authorizing the policy statement


Create a comprehensive description for each of the 130 domain policy implementation techniques. The CMMC cybersecurity evaluator should be able to see how the company uses people resources, policies, procedures, and tools, and tech to adopt, manage, monitor, and present on the practice.

The C3PAO is needed to gather two types of Objective Data to verify a practice during CMMC cybersecurity accreditation. It may only acquire this information from someone who is “currently doing the process or practice being reviewed.” As a result, while writing your accounts, select at least one person who is actively participating in the practice and name them as the C3PAO’s Subject Matter Expert. In addition, keep track of any artifacts that serve as Objective Evidence for what you’ve written (e.g., monitors, management information, administrative procedures, service issues, changelogs, desktop screenshots, etc.).

Plan your resources

Create a resource strategy that outlines how Domain rules and security practices will be delivered. The Plan must address the enterprise security program’s strategic level goals, along with a stated mission, cyberspace goals and objectives, cybersecurity standards and duties (e.g., legislative, regulatory, contractual), and key stakeholders’ roles. The Strategy must also include the available materials allotted to each Domain policy’s execution. Staffing, practices and systems, tools and technology, and 3rd-party infrastructure management should all be included in the resource allocation.

After accomplishing the four stages outlined here, your company will be able to begin a cost-effective external 3rd-party evaluation that will bring real value to your CMMC Level 3 accreditation initiatives.…