The Department of Defense’s (DoD) Interim Final Rule: CMMC, NIST SP 800-171 & What It Means for You
The interim rule released on 29 September 2020 for public comment and went into effect on 30 November 2020. The rule is not retroactive to existing contracts and will only impact new contracts. The rule actually creates two assessment frameworks:
- NIST SP 800-171 Assessment Methodology with NIST score posted in SPRS
- Cybersecurity Maturity Model Certification (CMMC) Framework
NIST SP 800-171 Assessment Methodology Changes
All new contracts and contract flow-downs will need to meet these changes. If you are currently a DoD contractor, you might be thinking that you already have to meet NIST 800-171. While that is true, there are some changes introduced in this rule. The rule will require both primes and sub-contractors to submit their score from an assessment to the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/. The assessment must not be more than three years old before contract acceptance or sub-contractor acceptance of a flow-down requirement. In addition, the DoD will classify you as needing either a Basic, Medium, or High Assessment. The DoD plans to do approximately 148 Medium Assessments and 81 High Assessments against small businesses over the next three years. There are an estimated 8,823 basic assessments that will need to be done and uploaded to SPRS each year due to new contract awards to small businesses.
New Cybersecurity Maturity Model Certification (CMMC) Framework
The rollout of the CMMC will be phased over five years to minimize impact. Only the Office of Acquisition and Sustainment can add CMMC DFARS to a new contract. After 01 October 2025, all new contracts will be required to meet the CMMC framework. The key difference between the current DFAR 7012 and DFAR 7021 is that DFAR 7012 allows for self-attestation while DFAR 7021 will require a third-party audit. The third-party audit will be conducted by accredited C3PAOs (Certified 3rd Party Assessment Organizations). For contractors only handling FCI (Federal Contracting Information) Level 1 will be required which encompasses 15 practices. For contractors handling CUI (Controlled Unclassified Information, think ITAR and 600 Series) you will need to meet Level 3 which requires meeting 130 practices (NIST 800-171s 110 controls plus 20 CMMC practices).
Do you need help with your company’s cybersecurity assessment or meeting compliance with NIST SP 800-171 or CMMC? Send us an email at firstname.lastname@example.org or fill out the form below to schedule your free consultation with one of our experts.