Policy - Cybersecurity Maturity Model Certification (CMMC)

DFARS 205.75

Regulatory

Interim DFARS Rule - Assessing Contractor Implementation of Cybersecurity Requirements (85 FR 61505)

Interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.

DFARS Case 2019-D041 - Strategic Assessment and Cybersecurity Certification Requirements

Implements a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations and a DoD certification process, known as the Cybersecurity Maturity Model Certification (CMMC), that measures a company’s maturity and institutionalization of cybersecurity practices and processes. Partially implements section 1648 of the FY20 NDAA.

Policy / Guidance

DPC Memo - Interim Defense Federal Acquisition Regulation Supplement Rule, 2019-D041, Assessing Contractor implementation of Cybersecurity Requirements, dated November 25, 2020

This memorandum emphasizes the requirements and ensures the workforce is aware of interim DFARS rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, which was published in the Federal Register (85 FR 61505) on September 29, 2020, and is effective on November 30, 2020.

USD(A&S) Memorandum - Implementating the Cybersecurity Maturity Model Certification within the Department of Defense, dated August 4, 2020

Describes and implements Cybersecurity Maturity Model Certification (CMMC) for the Department of Defense as a key step to enhance the protection of intellectual property and sensitive unclassified information.

Training

DAU CMMC Webcast Series

A series of webcasts on CMMC implementation developed by DAU.

DAU Webcast - CMMC and Implementation of Interim DFARS rule 2019-D041

Ms. Katie Arrington, Chief Information Security Officer for OUSD(A&S), Mr. John Tenaglia Principal Director, Defense Pricing, Contracting, and Acquisition Policy and Lt Gen David Bassett, Director, Defense Contract Management Agency discuss the background, intent and implementation of interim DFARS rule 2019-D041 on the proper assessment of how contractors are implementing cybersecurity requirements.

Other

DFARS Case 2019-D041 (CMMC)

Helpful Links

OUSD(A&S) - Cybersecurity Maturity Model Certification