The CMMC Framework and the NIST SP 800-171 are the two cybersecurity assessment methodologies addressed in DFARS Case 2019-D041 Assessing Contractor Implementation of Cybersecurity Requirements, published in the Federal Register, 85 Fed. Reg. 61505 (Sept. 29, 2020), and effective Nov 30, 2020. This implements the DoD-issued interim rule, Assessing Contractor Implementation of Cybersecurity Requirements, on Sep 29, 2020 (effective Nov 30, 2020) to implement:
- The NIST SP 800-171 DoD Assessment Methodology
- The Cybersecurity Maturity Model Certification (CMMC) Framework
This means voluntary compliance with the NIST SP 800-171 is no longer optional and must be validated through an external assessment every three years. The DFARS have been updated to add to the existing DFARS clauses 252.204-7012 and 252.704-7008 to include a requirement for contractors to have a NIST SP 800-171 DoD Assessment for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order is posted in the Supplier Performance Risk System (SPRS).
The CMMC Framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a defense industrial base (DIB) contractor can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. DFARS clauses 204.75 and 252.704-7021. requires a contractor to have a current CMMC certificate, that must be renewed every three years at the CMMC level required by the contract and maintain the CMMC certificate at the required level for the duration of the contract.
It is required for new contracts awarded past this date. For more detailed information go to https://www.acq.osd.mil/cmmc/updates.htm
For more information on the CMMC Framework, go to the CMMC website at https://www.acq.osd.mil/cmmc/