The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology employed to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations, required by DFARS 252.204-7012. The verification of contractor implementation of NIST SP 800-171 security requirements is addressed under DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.

The Cybersecurity Maturity Model Certification (CMMC) Framework, version 2.0. CMMC 2.0 is a newly approved DoD certification process to help assess a DIB contractor’s compliance with and implementation of cybersecurity requirements to safeguard FCI and CUI transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

This rule is related to DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which specifies the CMMC requirement at the level specified for a contract and for the duration of the contract with the DIB contractor. This rule will specify the CMMC requirements, at CMMC Level 1, 2, or 3, with which DIB contractors must comply in advance of a contract award, as well as the process for obtaining and maintaining CMMC certification, as required for a designated DoD contract.