DoD Issues Interim Rule for Cybersecurity Maturity Model Certification (CMMC) Program
On September 29th, 2020, the Department of Defense (DoD) issued an updated 临时的规则 within its recent Cybersecurity Maturity Model Certification (CMMC) program. The updated rule announces the DoD Assessment Methodology (Assessment Methodology), an interim requirement for contractors before undergoing a full CMMC review.
The 临时的规则 is designed as a two-phased approach to assess 和 verify the ability of contractors to protect controlled unclassified information (CUI) on their internal systems. 在新的指导下, the two phases of compliance are: (1) gap assessment using the NIST 800-171 DoD Assessment Methodology, (2)正式的CMMC认证.
DFARS条款252.204 - 7019(临时规则), advises officers that they must have a current (not older than three years) assessment on record in a Government database called the Supplier Performance Risk System (SPRS). This clause is required in all DoD solicitations except for those solely for the acquisition of commercially available off-the-shelf (COTS) items.
Assessments may be conducted at one of three levels:
基本 Assessments will be required in new contract actions, 包括选择练习, 在11月30日, 2020. 在授予合同之后, a contractor may be required to undergo a 媒介 or 高 Assessment “based on the criticality of the program or the sensitivity of the information being h和led by the contractor.“进一步, contractors will be required to flow down these requirements to all subcontracts except those for COTS items. 另外, a contractor may not award a subcontract unless the subcontractor has a current assessment formally uploaded within the SPRS.
A 基本 Assessment will require a contractor to score its implementation of NIST SP 800-171 controls on a 110-point scale using DOD’s NIST SP 800-171 Assessment Methodology. The rule does not require contractors to achieve a specific minimum score, 然而, contractors will not be eligible for contract award unless they submit their identified score 和 the date by which the entity expects to achieve a full 110 score.
Based on the most recent updates, it is clear that CMMC will be rolled out over several years. Until the certification is fully implemented, the Office of the Under Secretary of Defense for Acquisition 和 Sustainment will designate specifically which procurements will require CMMC compliance. 在10月1日前, 2025, 所有与国防部的合同, other than contracts exclusively for COTS items, will be required to have the CMMC Level identified in the solicitation. 在这一点上, all contractors 和 subcontractors will need to obtain a CMMC certification at some level.
There are still a number of questions outst和ing as CMMC requirements continue to evolve 和 we urge entities to track updates as they are released.