October 9, 2020

New cybersecurity requirements for DoD contractors

On September 29, 2020, the Defense Acquisition Regulations System (DFARS) of the US Department of Defense published an interim rule amending the Defense Federal Acquisition Regulation Supplement to address threats to the US economy and national security from malicious cyber activities, and enhance the protection of unclassified information among DoD contractors.  CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into DFARS and use it as a requirement for contract award. DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

In order to achieve this objective, the DoD developed the National Institute of Standards and Technology Special Publication 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification framework.  The Cybersecurity Maturity Model incorporates over 60 data protection requirements and cybersecurity best practices, and defines five levels of cybersecurity maturity certification, enabling the DoD to verify implementation of processes and practices  among contractors, and ensure that they can protect sensitive information at a level commensurate with the risk involved.  Under the amendments, a contractor’s cybersecurity posture will be verified by third party assessment organizations or “C3PAOs,” which in turn must be accredited by accredited by an independent Cybersecurity Maturity Model Certification Accreditation Body. 

The DoD plans to implement the Cybersecurity Maturity Model in phases over the next five years.  The model will be prescribed for use in solicitations and contracts for the first five years, and will be mandatory after October 1, 2025. The framework’s certification requirements will apply to subcontractors as well as primary contractors.

When fully implemented, the framework will require proposed contractors to maintain a current NIST SP 800-171 assessment on file, and the amended DFARS obliges contractors to provide access to its facilities, systems and personnel to the government for the purpose of conducting an assessment.

Due to the urgent and compelling need to secure the DoD’s supply chain, a final rule will be published on November 30, 2020, prior to completion of the statutory notice and comment period.

DARS rule