DoD is finalizing an interim rule to implement the following methodology and framework in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector:

• The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology. A standard methodology to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.

• The Cybersecurity Maturity Model Certification (CMMC) Framework. A DoD certification process that measures a company’s institutionalization of processes and implementation of cybersecurity practices. See RIN 0790-AL49 for information on a rule amending title 32 of the Code of Federal Regulations with regard to CMMC, which will inform the DFARS final rule.

This rule provides the Department with: (1) the ability to assess at a corporate level a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting; and (2) assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.