View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/DARC RIN: 0750-AK81 Publication ID: Fall 2021 
Title: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) 

DoD is finalizing an interim rule to implement the following methodology and framework in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector:

  • The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology. A standard methodology to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.
  • The Cybersecurity Maturity Model Certification (CMMC) Framework. A DoD certification process that measures a company’s institutionalization of processes and implementation of cybersecurity practices. See RIN 0790-AL49 for information on a rule amending title 32 of the Code of Federal Regulations with regard to CMMC, which will inform the DFARS final rule.

This rule provides the Department with: (1) the ability to assess at a corporate level a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting; and (2) assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

Agency: Department of Defense(DOD)  Priority: Economically Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Long-Term Actions 
Major: Yes  Unfunded Mandates: No 
CFR Citation: 48 CFR 204    48 CFR 212    48 CFR 217    48 CFR 252   
Legal Authority: 41 U.S.C 1303    Pub. L. 116-92, sec. 1648   
Legal Deadline:  None
Action Date FR Cite
Interim Final Rule  09/29/2020  85 FR 48513   
Interim Final Rule Effective  11/30/2020 
Final Action  12/00/2022 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: No 
Initial (Administrative Startup and /or Capital) Cost: $0  Yearly (Annual Operating) Cost: $0 
Base Year of the Dollar Estimates: 2021  RIN Data Printed in the FR: Yes 
Agency Contact:
Jennifer Johnson
Defense Acquisition Regulations System
Department of Defense
Defense Acquisition Regulations Council
3060 Defense Pentagon, Room 3B941,
Washington, DC 20301-3060
Phone:571 372-6100