DoD issued an interim rule to amend DFARS to implement a DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
CMMC complements DFARS clause 252.204-7012, which was published in the Federal Register and became effective in 2015. Among other requirements, 252.204-7012 requires Contractors/Subcontractors to safeguard CUI by implementing cybersecurity requirements in NIST SP 800-171.
Advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current NIST SP 800-171 DoD Assessment on record to be considered for award. Requires offerors to post current Assessments in the Supplier Performance Risk System (SPRS).
Effective 1 Oct 2025. Requires CMMC certificate by time of contract award. Until 1 Oct 2025, DoD must approve CMMC clause in new acquisitions. Contractor certification level must be maintained for contract duration and this clause must be flowed down, as required.
National Institute of Standards and Technology Special Publication (NIST SP) 800-172, provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI in nonfederal systems and organizations from the advanced persistent threat when the CUI is associated with a critical program or high value asset.
SPRS “...is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79)
Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order 13556; 32 CFR Part 2002, "Controlled Unclassified Information;“ and DFARS secs. 252.204-7008 and 252.204-7012. Also, establishes the official DoD CUI Registry.