Email Iconinfo@coreitx.com
Call Icon+1.888.851.5253

The Interim DFARS Rule and What It Means for You

April 13, 2021

The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020. The decision sent over 300,000 members of the defense industrial base (DIB), mostly small and midsize businesses (SMBs), into a state of frenzy. Most found themselves drowning in all the unnecessary noise surrounding CMMC and its larger implications on existing and future government contracts.

The chaos increased when the Interim DFARS Rule (DFARS Case 2019-D041) joined the foray on November 30, 2020. This rule mandates all defense contractors to perform self-assessments of their cybersecurity efficacy using the NIST CSF (SP) 800-171 DoD Assessment Methodology.

Amid all the deliberation and scrutiny, let us try understanding the Interim DFARS Rule and its impact on you as a member of the DIB. In this short read, we will tell you what exactly the Interim DFARS Rule changed, what it mandates contractors to do and what your next immediate step should be if you do not wish to be penalized for non-compliance with this latest mandate by the Department of Defense (DoD).

What the Interim DFARS Rule Changed

This is not the first time the DoD has emphasized on the need for defense contractors to follow the 110 cybersecurity controls mentioned in the National Institute of Standards and Technology (NIST) Special Publication 800-171, generally referred to as “800-171.”

Even prior to the adoption of the CMMC, DFARS mandated most defense contractors to merely attest to the fact that they followed all the controls specified in 800-171. However, many non-compliant contractors and sporadic government audits led to controlled, unclassified information (CUI) leaked out of government contracts.

Therefore, in a bid to counter potential security threats, the Interim DFARS Rule performs complete self-assessments and formally scores their 800-171 compliance status based on a specific scoring system developed by the DoD. The post-assessment score would then have to be uploaded to a federal database – the Supplier Performance Risk System (SPRS).

The deadline for you to conduct a self-assessment and upload it to the SPRS database was yesterday (yes, you read that right) if you intend to accept any DoD-related contracts issued after December 1, 2020 that include the flow down of DFARS 252.204-7012.

Having understood the urgency with which you must approach complying with the Interim DFARS Rule, let us now look at how the interim rule scoring works.

Self-Assessment and The Scoring Matrix

During the self-assessment, contractor are expected to score themselves on the implementation of each of the 110 NIST (SP) 800-171 cybersecurity controls. The CMMC requires DoD contractors to conduct these self-assessments once every three years, unless anything necessitates a change in frequency.

The assessment scoring begins with a perfect score of 110 for each NIST 800-171 control. Points are then subtracted for every control that has not been implemented. Each control holds a point value ranging from one to five based on a control’s significance.

No credit is given for partially implemented controls, except for multifactor authentication and FIPS-validated encryption. Although NIST does not prioritize security requirements, it does declare that certain controls bear greater impact on a network’s security.

Here are three things you must remember with respect to the self-assessment:

  • If you receive less than 110 points, you must generate a Plan of Action and Milestones (POA&M) document explaining how the deficiencies will be addressed and the failing items will be remediated. You can update scores as and when the loopholes are addressed and remediated.
  • As a contractor, you must also develop and submit a System Security Plan (SSP) with thorough details of implemented NIST 800-171 controls such as operational procedures, organizational policies and technical components.
  • Upon concluding the self-assessment, you must submit the results to the governmental SPRS database within 30 days.

Now that we have established all that you must do, there’s no time to waste. Here’s what you immediately need to do.

Get Assessment Ready Now!

While the DoD works out every little detail about CMMC and puts it out in the open by 2026, you just cannot wait about in anticipation. You must start gearing up to conduct a thorough and accurate self-assessment and do whatever it takes after that to fulfill today’s cybersecurity requirements. This way, you will comply with the Interim DFARS Rule and also be prepared for every future development with respect to CMMC.

Navigating through the complexities of CMMC can be both complex and overwhelming. That’s why having an experienced partner to shoulder the responsibility would ease the pressure on you. We would love to chip in with our best efforts. All it would take is an email allowing us to talk to you about it.

Article curated and used by permission.

Recent Post

November 24, 2025

Holiday Tech Etiquette for Small Businesses (or: How Not To Accidentally Ruin Someone’s Day)

During the holidays, small businesses must maintain proper tech etiquette to avoid frustrating customers who are already stressed with end-of-year activities. Key practices include updating online business hours across all platforms (Google Business Profile, Facebook, Instagram, Yelp, and website banners) with clear, friendly messaging about closures. Setting human-sounding out-of-office email replies helps maintain customer relationships while avoiding oversharing personal details that could create security risks. Testing phone systems ensures voicemail greetings match current hours and provide clear instructions for urgent matters. For businesses that ship products, communicating shipping deadlines early and prominently prevents disappointed customers. These simple tech manners - updating hours, crafting friendly auto-replies, protecting privacy, testing communication systems, and setting clear expectations - demonstrate respect for customers' time and help maintain positive relationships even when the business is closed. Good holiday tech etiquette prevents customer frustration and protects business reputation during the crucial holiday season.
Read More
November 17, 2025

Holiday Scams in Disguise: What To Watch Out for When Donating Online

During the holidays, scammers exploit generosity by creating fake charity campaigns and fraudulent fundraisers. These scams can cost small businesses money and damage their reputation if they unknowingly support fraudulent causes. Red flags include pressure to donate immediately, requests for payment via gift cards or wire transfers, vague information about fund usage, and impersonation of legitimate charities. To protect your business, establish a donation policy with approval thresholds, educate employees about scam tactics, verify charities through official websites, and monitor how donated funds are used. Legitimate charities provide transparent financial information and accept standard payment methods. By implementing these safeguards, businesses can maintain their goodwill while avoiding financial loss and reputational damage from charity scams.
Read More
November 10, 2025

Tech Wins That Actually Made Small Business Life Easier This Year

In 2026, several practical technology tools genuinely improved small business operations. Automatic invoice reminders through platforms like QuickBooks, FreshBooks and Xero reduced payment times from 45 to 28 days, easing cash-flow stress. AI tools such as ChatGPT, Claude, and Microsoft Copilot handled administrative tasks like drafting emails and job descriptions, saving owners valuable time while preserving human decision-making. Simple cybersecurity measures, including multifactor authentication and password managers, enhanced security while streamlining logins. Cloud tools enabled true mobility, allowing business owners to access documents and close deals from anywhere. Communication platforms like Slack and Microsoft Teams reduced email clutter and facilitated quicker team collaboration. These tools succeeded because they solved real daily problems rather than adding complexity, proving that the best tech isn't the flashiest—it's the stuff that quietly saves time, protects businesses, and keeps people happy.
Read More

Location

Location
440 Cobia Dr,Unit 1101,Katy TX 77494 USA
Location
1st Floor, Badheka Chambers 31, Manohardas Street, Fort, Mumbai 400001 INDIA
Location
Office Number – 703, Rajhans Montessa, Surat Dummas Road, Surat 395007 INDIA

Services

Cloud ServicesCloud ConsultingCloud Monitoring & ManagementCloud Integration & Migration
Cyber Hygiene for SMBs
Remote Infrastructure ManagementNetwork ServicesRemote Monitoring and ManagementManaged Security ServicesEmail ServicesBackup & DRaaS
IT Professional ServicesManaged Hosting ServicesIT Audit & GRC ServicesIT Application Development ServicesCybersecurity Services

Solutions

Cloud + Data Center Transformation SolutionsIT Infrastructure SolutionsDigital Operations Solutions pagesCyberSecurity Solutions

Quick Links

Privacy PolicyContact UsCareersBlogsBrochuresInfographicsWhitepapersKnowledge baseMaster Services Agreement (current)
LinkedInFacebookInstagram
© 2025 Core Technologies Services, Inc. All rights reserved.