Responding to fundamental concerns about the cybersecurity of its private sector supply chain, the Department of Defense (DoD) will begin requiring at the end of this month all of its contractors to comply with a complex and demanding new cybersecurity framework.
Starting on November 30, 2020, contractors working for the DoD will need to comply with the long-anticipated Cybersecurity Maturity Model Certification (CMMC). This mandatory requirement will be a go/no-go criterion for eligibility for many DoD contracts.
Issued on September 29, 2020 the interim rule, amends the Defense Federal Acquisition Regulation Supplement (DFARS) to establish the DoD Assessment Methodology for contractor cybersecurity certification and implement the CMMC program.
What is the DoD Assessment Methodology?
The DoD Assessment Methodology requirement was developed to address perceived flaws in the self-assessment process. Currently, under DFARS clause 252.204-7012, contractors must self-certify their compliance with the cybersecurity requirements of NIST SP 800-171 to “covered contractor information systems,” which are generally those that store, process, generate, transmit or access “covered defense information.” Through the interim rule, the DoD Assessment Methodology rates contractor cybersecurity levels as Basic, Medium or High based on the contractor’s implementation of the 110 controls identified under the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171.