In the meantime, the Defense Federal Acquisition Regulation Supplement (DFARS) purchasing requirements were updated with an interim rule that went into effect at the end of November 2020.
Most defense contracts have included a DFARS requirement for cybersecurity that required contractors to implement the 110 cybersecurity controls in NIST SP 800-171 by the end of 2017. This requirement was largely ignored by many contractors.
The interim rule now requires contractors to upload a self-assessment score into a DoD database to qualify for new defense contracts and renewals of existing contracts. Contractors are subject to audit by the DoD and must be ready with specific documentation and evidence of their compliance.
The interim rule is a huge opportunity for MSPs. If defense contractors fail to comply, they will not qualify for new contracts or contract renewals. If they post a false score, and fail a DoD audit, their defense contracts—in many cases their main source of income—can be cancelled. They can also be banned from future contracts and sued by the government under the federal False Claims Act for three times what they have been paid by the DoD. False attestations can also be prosecuted criminally.
Start with NIST
MSPs need to prepare before jumping on these opportunities:
- Build a good foundation of services to help businesses implement either the NIST CSF’s 98 cybersecurity controls or NIST 800-171’s 110 controls for defense contractors. Many of the requirements in the NIST frameworks are similar, so it’s not difficult to develop managed services and compliance services that align with both.
- Take time to really understand the healthcare and defense requirements. You don’t need to become an expert, which could take years, but you should be able to speak knowledgeably with prospects and clients. When I started in compliance, I had to blaze a new trail by learning everything and then figuring out what I needed to do as an MSP to help clients. To help you accelerate your success, I developed Semel Systems’ NIST CSF System, HIPAA for Profit, and CMMC Compliance for Profit.
- Reduce your risks and your liability by protecting your MSP business and your investment. Check out my article "MSP Sued! Are You Ready?"
Don’t miss these huge opportunities to differentiate your company, help your clients, and make lots of money.