View Rule

DoD is issuing a final rule to finalize an interim rule that amended the Defense Federal Acquisition Regulation Supplement to implement the following methodology and framework in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector: 

• The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology .  A standard methodology to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.
• The Cybersecurity Maturity Model Certification (CMMC) Framework .  A DoD certification process that measures a company’s institutionalization of processes and implementation of cybersecurity practices.

This rule provides the Department with: (1) the ability to assess at a corporate level a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting; and (2) assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.