View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/DARC RIN: 0750-AK81 Publication ID: Spring 2020 
Title: ●Strategic Assessment and Cybersecurity Certification Requirements (DFARS Case 2019-D041) 

DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a standard DoD-wide standard methodology for assessing DoD contractor compliance with all security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations and a DoD certification process, known of cybersecurity practices and processes. Currently, DFARS clause 252.204-7012, Network Penetration and Safeguarding of Covered Defense Information, requires contractors to provide adequate security for controlled unclassified information for which the minimum requirement is to implement the security requirements in NIST SP 800-171. The DoD standard methodology validates contractor implementation of the security requirements in NIST SP 800-171 in a consistent and objective manner. As a result of this rule, contractors will be required to review their system security plans and provide an implementation self-assessment to DoD in accordance with the scoring methodology. The score reflects the net effect of security requirements not yet implemented. Depending on the criticality of the data, DoD may also choose to review the system security plans, get additional information from the contractor through interviews, and ask for clarification in the plan by the contractor. For very critical systems, DoD may request an on-site validation/demonstration to ensure a high level of confidence with the implementation of NIST SP 800-171 requirements. Whether the assessment is conducted by the contractor or by DoD, the same scoring methodology will be used.  CMMC is a DoD certification process that is intended to serve as a mechanism to ensure appropriate cybersecurity practices and processes are in place to ensure basic cyber hygiene, as well as protect CUI residing on DoD’s industry partners’ networks. CMMC assessments take into consideration various cybersecurity controls/requirements/standards, including NIST SP 800-171, while also measuring the maturity of a company’s institutionalization of these cybersecurity practices and processes.  Information on CMMC and a copy of the draft CMMC model can be found at CMMC assessments will be primarily conducted by independent third parties. Upon completion of a CMMC assessment, a company is awarded certification at the appropriate CMMC level (as described in the CMMC model) and the certification level is documented in SPRS to enable the verification of an offeror’s certification level prior to contract award.

Agency: Department of Defense(DOD)  Priority: Other Significant 
RIN Status: First time published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: Yes  Unfunded Mandates: No 
EO 13771 Designation: Regulatory 
CFR Citation: 48 CFR 204    48 CFR 212    48 CFR 217    48 CFR 252   
Legal Authority: 41 U.S.C 1303   
Legal Deadline:  None
Action Date FR Cite
NPRM  07/00/2020 
Regulatory Flexibility Analysis Required: Undetermined  Government Levels Affected: Federal 
Federalism: Yes 
Included in the Regulatory Plan: No 
RIN Data Printed in the FR: No 
Agency Contact:
Jennifer Hawes
Defense Acquisition Regulations System
Department of Defense
3060 Defense Pentagon, Room 3B941,
Washington, DC 20301-3060
Phone:571 372-6115