DoD issued an interim rule to amend DFARS to implement a DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
CMMC complements DFARS clause 252.204-7012, which was published in the Federal Register and became effective in 2015. Among other requirements, 252.204-7012 requires Contractors/Subcontractors to safeguard CUI by implementing cybersecurity requirements in NIST SP 800-171.
Advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current NIST SP 800-171 DoD Assessment on record to be considered for award. Requires offerors to post current Assessments in the Supplier Performance Risk System (SPRS).
Requires contractors to provide the Government with access to its facilities, systems, and personnel when necessary for DoD to conduct or renew a higher-level NIST SP 800-171 DoD Assessment.
Effective 1 Oct 2025. Requires CMMC certificate by time of contract award. Until 1 Oct 2025, DoD must approve CMMC clause in new acquisitions. Contractor certification level must be maintained for contract duration and this clause must be flowed down, as required.
National Institute of Standards and Technology Special Publication (NIST SP) 800-172, provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI in nonfederal systems and organizations from the advanced persistent threat when the CUI is associated with a critical program or high value asset.
Provides an overview of DCSA’s responsibilities in support of DoD CUI program management, including information about program’s phased rollout and various CUI resources.
SPRS “...is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79)
The authoritative source for CMMC-AB information, including marketplace listings of authorized/approved CMMC Third Party Assessment Organizations (C3PAOs).
Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order 13556; 32 CFR Part 2002, "Controlled Unclassified Information;“ and DFARS secs. 252.204-7008 and 252.204-7012. Also, establishes the official DoD CUI Registry.
Establishes policy, assigns responsibilities, and prescribes procedures for the management of cybersecurity risk by program decision authorities and program managers in the DoD acquisition processes.
E.O. modernizing cybersecurity defenses by protecting federal networks, improving information-sharing on cyber issues, and strengthening our ability to respond to incidents.