Not Just CMMC: New DOD Rule Creates Two Cybersecurity Assessment Frameworks

WHAT: After clearing the interagency review conducted by the Office of Management and Budget (OMB), the U.S. Department of Defense (DOD) has released a long-awaited interim rule to implement not one, but two new frameworks for verifying contractor compliance with cybersecurity requirements: (1) NIST SP 800-171 DOD Assessment Methodology and (2) the Cybersecurity Maturity Model Certification (CMMC).

WHEN: The interim rule was released September 29, 2020 and is scheduled to became effective on November 30, 2020.

WHAT DOES IT MEAN FOR INDUSTRY: This interim rule combines two items: (1) a new assessment framework, which will have an immediate impact on contractors, and (2) additional information about the long-anticipated CMMC framework, which DOD will roll out over the next five years.

The immediate impact comes from the NIST SP 800-171 DOD Assessment Methodology. Under this framework, contractors will be required to complete a self-assessment of their compliance with NIST SP 800-171 before they can receive DOD contracts. This framework also gives DOD new tools for verifying a contractor’s compliance.

For CMMC, the interim rule introduces the long-anticipated DFARS clause that sheds some light on how DOD contractors are expected to flow down the requirements to subcontractors. But the interim rule also highlights DOD’s desire to continue developing the CMMC requirements outside the DFARS rulemaking process.

Continue reading for our take on the key questions, including what is happening and when; what types of contracts are covered; the differences between SP 800-171 Assessments and CMMC Certifications; what stages of the procurement lifecycle these rules apply to; how contractors are expected to flow down these requirements; and DOD’s initial insight into potential dispute processes.

Download Newsletter