View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/DARC RIN: 0750-AK81 Publication ID: Spring 2021 
Title: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) 

DoD is issuing a final rule to finalize an interim rule that amended the Defense Federal Acquisition Regulation Supplement to implement the following methodology and framework in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector: 

  • The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology .  A standard methodology to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.
  • The Cybersecurity Maturity Model Certification (CMMC) Framework .  A DoD certification process that measures a company’s institutionalization of processes and implementation of cybersecurity practices.

This rule provides the Department with: (1) the ability to assess at a corporate level a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting; and (2) assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

Agency: Department of Defense(DOD)  Priority: Economically Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Yes  Unfunded Mandates: No 
CFR Citation: 48 CFR 204    48 CFR 212    48 CFR 217    48 CFR 252   
Legal Authority: 41 U.S.C 1303    Pub. L. 116-92, sec. 1648   
Legal Deadline:  None
Action Date FR Cite
Interim Final Rule  09/29/2020  85 FR 48513   
Interim Final Rule Effective  11/30/2020 
Final Action  09/00/2021 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: Yes 
Initial (Administrative Startup and /or Capital) Cost: $0  Yearly (Annual Operating) Cost: $0 
Base Year of the Dollar Estimates: 2021  RIN Data Printed in the FR: Yes 
Agency Contact:
Jennifer Johnson
Defense Acquisition Regulations System
Department of Defense
Defense Acquisition Regulations Council
3060 Defense Pentagon, Room 3B941,
Washington, DC 20301-3060
Phone:571 372-6100