DoD Issues Interim Rule for Cybersecurity Maturity Model Certification (CMMC) Program
November 18, 2020
On September 29th, 2020, the Department of Defense (DoD) issued an updated interim rule within its recent Cybersecurity Maturity Model Certification (CMMC) program. The updated rule announces the DoD Assessment Methodology (Assessment Methodology), an interim requirement for contractors before undergoing a full CMMC review.
The interim rule is designed as a two-phased approach to assess and verify the ability of contractors to protect controlled unclassified information (CUI) on their internal systems. Under this new guidance, the two phases of compliance are: (1) gap assessment using the NIST 800-171 DoD Assessment Methodology, and (2) formal CMMC certification.
DFARS provision 252.204–7019 (interim rule), advises officers that they must have a current (not older than three years) assessment on record in a Government database called the Supplier Performance Risk System (SPRS). This clause is required in all DoD solicitations except for those solely for the acquisition of commercially available off-the-shelf (COTS) items.
Assessments may be conducted at one of three levels:
Basic Assessments will be required in new contract actions, including option exercises, following November 30th, 2020. After a contract is awarded, a contractor may be required to undergo a Medium or High Assessment “based on the criticality of the program or the sensitivity of information being handled by the contractor.” Further, contractors will be required to flow-down these requirements to all subcontracts except those for COTS items. Additionally, a contractor may not award a subcontract unless the subcontractor has a current assessment formally uploaded within the SPRS.
A Basic Assessment will require a contractor to score its implementation of NIST SP 800-171 controls on a 110-point scale using DOD’s NIST SP 800-171 Assessment Methodology. The rule does not require contractors to achieve a specific minimum score, however, contractors will not be eligible for contract award unless they submit their identified score and the date by which the entity expects to achieve a full 110 score.
Based on the most recent updates, it is clear that CMMC will be rolled out over several years. Until certification is fully implemented, the Office of the Under Secretary of Defense for Acquisition and Sustainment will designate specifically which procurements will require CMMC compliance. By October 1, 2025, all contracts with DoD, other than contracts exclusively for COTS items, will be required to have the CMMC Level identified in the solicitation. At that point, all contractors and subcontractors will need to obtain a CMMC certification at some level.
There are still a number of questions outstanding as CMMC certification requirements continue to evolve and we urge entities to track updates as they are released.