OVERVIEW
On September 29, 2020, the US Department of Defense (DoD) released the highly anticipated interim rule (“Interim Rule”) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC). This new Interim Rule is effective November 30, 2020, in advance of promulgation of a future final rule. (DFARS Case 2019-D041; 85 FR 61505.)
IN DEPTH
NEW INTERIM COMPLIANCE OBLIGATION: COMPLIANCE CERTIFICATION UNDER NIST 800-171
The most significant change in the Interim Rule is the introduction of the new obligation for federal contractors to either self-certify or obtain a third-party assessment methodology to certify contractor compliance with cybersecurity requirements. (Click here for McDermott’s analysis.) Pursuant to the Interim Rule, beginning November 30, 2020, all contractors and subcontractors who accept contracts containing DFARS clause 252.204-7012 will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology for initial assessments, and update those assessments every three years.
This framework expands on existing requirements for federal contractors, as set forth by DFARS Clause 242.204-7012 and NIST Special Publication (SP) 800-171.
NIST SP 800-171 ASSESSMENT METHODOLOGY
The NIST Assessment Methodology is designed to enable the federal government to assess its prime contractors and for the prime contractors to assess their subcontractors.
To qualify for new contract awards after the implementation date of the Interim Rule, contractors and subcontractors are required to have an assessment on record within the last three years (or more recently for certain contracts). (Interim Rule, 85 FR at 61506.)
The methodology provides for three types of assessments. (Assessment Methodology at 3-5.)
-
Basic. Basic Assessments are self-assessments performed by the contractor or the subcontractor against the 110 controls of NIST SP 800-171. A Basic Assessment provides only a minimum level of confidence in the resulting score because it