View Rule

DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement to implement following methodology and framework in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector: 

• The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology .  A standard methodology to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.”
• The Cybersecurity Maturity Model Certification (CMMC) Framework .  A DoD certification process that measures a company’s institutionalization of processes and implementation of cybersecurity practices.

This rule provides the Department with: (1) the ability to assess at a corporate-level a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting; and (2) assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

Statement of Need:

In February 2019, UDA(A&S) directed the Defense Contract Management Agency (DCMA) to develop a standard methodology to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171 at the corporate or entity level.  The DCMA Defense Industrial Base Cybersecurity Assessment Center’s NIST SP 800-171 DoD Assessment Methodology is the Department’s initial strategic DoD/corporate-wide assessment of contractor implementation of the mandatory cybersecurity requirements established in the contracting regulations.  Results of a NIST SP 800-171 DoD Assessment reflect the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor. 

Building upon the NIST SP 800-171 DoD Assessment Methodology, the CMMC framework adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.  CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information (i.e. FCI and CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. 

Summary of the Legal Basis:

This rule is being implemented under the authority of 41 U.S.C. 1303 and Section 1648 of the National Defense Authorization Act for Fiscal Year (FY) 2020 (Pub. L. 116-92).  The Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) has the authority and responsibility for promulgated DoD procurement rules under the OFPP statute, codified at Title 41 of the U.S. Code.  Section 1648 of the National Defense Authorization Act for Fiscal Year (FY) 2020 (Pub. L. 116-92) directs the Secretary of Defense to develop a risk-based cybersecurity framework for the DIB sector, such as CMMC, as the basis for a mandatory DoD standard. 

Alternatives:

DoD considered and adopted several alternatives during the development of this rule that reduce the burden on small entities and still meet the objectives of the rule. These alternatives include: (1) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and (2) implementing a phased rollout for the CMMC portion of the rule and stipulating that the inclusion a CMMC requirement in new contracts until that time be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.  Additional alternatives related to the processes and practices of each of the CMMC levels and the timing of a certification with reagrd to a DoD contract award were considered; however, it was determined that these other alternatives did not achieve the intended policy outcome.

Anticipated Costs and Benefits:

The annualized value of costs beginning in fiscal year 2021 (calculated in perpetuity in 2016 dollars at a 7 percent discount rate) associated with implementing the NIST SP 800-171 DoD Assessment Methodology and the CMMC Framework is $4.6 billion.  The primary benefit of this rule is improving the protection of the Department's sensitive information and reducing the threat to DIB sector intellectual property by:

• Enabling immediate and strategic assessments at the entity-level of contractor implementation of cyber security processes and practices that should already be in place;
• Requiring comprehensive implementation of cybersecurity requirements rather than plans of action to accomplish implementation;
• Verifying DIB sector contractor and subcontractor cybersecurity postures; and  
• Reducing duplicative or repetitive assessments of our industry partners through standardization.

Risks:

The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens economic security and national security.  Malicious cyber actors have and continue to target the Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD).  These attacks not only focus on the large prime contractors, but also target subcontractors that make up the lower tiers of the DoD supply chain.  Many of these subcontractors are small entities that provide critical support and innovation.  The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.