DoD Interim Rule for NIST SP 800-171 and CMMC
If you’re a Department of Defense (DoD) contractor or a manufacturer in the DoD supply chain who is required to implement NIST SP 800-171 security controls and planning to implement Cybersecurity Maturity Model Certification (CMMC), you know cybersecurity compliance is a must.
The DoD recently issued an Interim Rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS), effective November 30, 2020. A new mandatory construct was introduced with the rule called the DoD Assessment Methodology.
The Interim Rule is designed to achieve phased implementation of both the newly required Assessment Methodology and the CMMC framework. The DoD
Assessment Methodology serves as an interim self-certification process before contractors undergo a full CMMC review.
What’s the new DoD Assessment Methodology all about?
It’s a standardized approach to assess contractor application of the cybersecurity requirements in NIST SP 800-171. This step provides an interim status on contractors’ current implementation of the NIST 800-171 requirements.
The DoD Assessment Methodology requirement was developed to address perceived shortcomings in the self-attestation process conducted by contractors and their subcontractors with access to covered defense information (CDI) or controlled unclassified information (CUI) under DFARS clause 252.204-7012.
The methodology also includes a scoring system that assigns a weight to each NIST 800-171 requirement and subtracts points for all requirements that are not fully implemented. Some contractors will have a negative score. Contractors must enter their most recent assessment date and score, and the projected end date of their POAM into the DoD Supplier Performance Risk System database (SPRS).
How does the Interim Rule affect CMMC implementation?
With the Interim Rule, the DoD is gradually phasing in the rollout of CMMC. It won’t be until September 30, 2025 that all contracts over a micropurchase threshold will require CMMC certification. Until that time, the DoD will determine which solicitations will include the CMMC requirement.
When the CMMC requirement, DFARS clause 252.204-7021, appears in future contracts, it will be a mandatory flow down to subcontractors at all tiers. The level of CMMC certification applicable to contractors will be based on the sensitivity of the information provided to them. The Interim Rule does not specify whether the government or contractor makes this determination although it implies it will be the responsibility of the contractor.
At this point in time it would benefit you to familiarize yourself with the with the DoD Assessment Methodology and SPRS. If you are not required to implement NIST SP 800-171 security controls because your company does not meet the criteria, be prepared to document why you do not need to conduct a DoD Assessment.
As a manufacturer who participates in supply chains tied to government contracts, you are well aware you must comply with the Defense Federal Acquisition Regulation Supplement. Implementation of the security requirements in NIST Special Publication 800-171 is a must. The DoD Assessment can help provide you with interim documentation of the requirements until full implementation of CMMC is achieved.
Contact us if you would like to learn more about the DoD’s Interim Rule and CMMC implementation.
Did you attend the webinar about the DoD Interim Rule & CMMC?
Watch the full discussion with Director of Strategic Growth & Technology, Jeff Orszak, and Helena Reilly, Technology Solutions Consultant.
[Video] Ransomware Hits East Hartford Manufacturer
Think it won't happen to your mall business? So did this manufacturer. Listen to his story.
The Cybersecurity Maturity Model Certifi cation (CMMC) is the next step in the Department of Defense (DoD) efforts to protect U.S. defense manufacturing supply chains from cyberthreats.
[PDF] Cybersecurity Compliance is Mandatory
Manufacturers doing business directly or indirectly for the DoD, GSA, and NASA must meet Defense Federal Acquisition Regulation (DFAR) minimum cybersecurity standards or risk losing contacts.