View Rule

DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a standard DoD-wide standard methodology for assessing DoD contractor compliance with all security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations and a DoD certification process, known of cybersecurity practices and processes. Currently, DFARS clause 252.204-7012, Network Penetration and Safeguarding of Covered Defense Information, requires contractors to provide adequate security for controlled unclassified information for which the minimum requirement is to implement the security requirements in NIST SP 800-171. The DoD standard methodology validates contractor implementation of the security requirements in NIST SP 800-171 in a consistent and objective manner. As a result of this rule, contractors will be required to review their system security plans and provide an implementation self-assessment to DoD in accordance with the scoring methodology. The score reflects the net effect of security requirements not yet implemented. Depending on the criticality of the data, DoD may also choose to review the system security plans, get additional information from the contractor through interviews, and ask for clarification in the plan by the contractor. For very critical systems, DoD may request an on-site validation/demonstration to ensure a high level of confidence with the implementation of NIST SP 800-171 requirements. Whether the assessment is conducted by the contractor or by DoD, the same scoring methodology will be used.  CMMC is a DoD certification process that is intended to serve as a mechanism to ensure appropriate cybersecurity practices and processes are in place to ensure basic cyber hygiene, as well as protect CUI residing on DoD’s industry partners’ networks. CMMC assessments take into consideration various cybersecurity controls/requirements/standards, including NIST SP 800-171, while also measuring the maturity of a company’s institutionalization of these cybersecurity practices and processes.  Information on CMMC and a copy of the draft CMMC model can be found at https://www.acq.osd.mil/cmmc/index.html. CMMC assessments will be primarily conducted by independent third parties. Upon completion of a CMMC assessment, a company is awarded certification at the appropriate CMMC level (as described in the CMMC model) and the certification level is documented in SPRS to enable the verification of an offeror’s certification level prior to contract award.