New Department of Defense (DoD) regulations related to government contractor Cybersecurity requirements become effective November 30, 2020.

The progressive steps to mandatory contractor Cybersecurity Maturity Model Certification (CMMC) are expected to roll out over the next 5 years. However, certain preliminary actions are required this month to ensure that contractors are eligible for award of new contracts, task orders, delivery orders, or option terms.

History of Cybersecurity Requirements. The new CMMC requirements essentially build on existing regulations. Under DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractors are required to comply with National Institute of Standards and Technology (NIST) SP 800-171, in the protection of certain contractor and government information. Defense contractors and subcontractors are required to provide “adequate security” to store, process, or transmit Controlled Unclassified Information (CUI) on information systems or networks, and to report cyber incidents that affect systems or networks. Based on DoD research, contractors essentially performed system gap analysis and developed a plan for compliance, or Plan of Action and Milestones (POA&M). However, the government has had low visibility regarding contractor’s actual implementation and compliance with the 110 NIST SP 800-171 security requirements.

New Requirements. Contractors must be compliant with certain new regulations under Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). Primarily, defense contractors are required to take two steps: (1) demonstrate implementation of NIST SP 800-171 on their information systems that process CUI, and (2) take steps to protect Federal Contract Information (FCI) and CUI on their information systems in preparation for full compliance and verification under the new CMMC Framework. Contractors must flow these requirements down to subcontractors.

Under the first step effective November 30, in accordance with solicitation requirements, and DFAR 252.204-7019, contractors that are required to implement NIST SP 800-171, must perform a Basic Assessment (as defined in DFAR 252.204-7020, NIST SP 800-171 DoD Assessment Requirements). In addition, the results of the Basic Assessment must be posted on the DoD Supplier Performance Risk System (SPRS). This reporting mechanism provides visibility to DoD Components into the scores of Assessments completed by contractors. To be eligible for award, contractor assessments must be current (i.e., not more than 3 years old).

The second step described in the new regulations includes a plan for preparation for contractor CMMC compliance, including an envisioned small business, phased rollout over 1-7 years. Building upon the NIST SP 800–171 DoD Assessment Methodology, the CMMC framework adds “a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.” The new regulations include future procedures for solicitations, contracts, task orders, delivery orders and option extensions that require CMMC compliance.

Until September 30, 2025, contractual requirements for CMMC compliance must be approved by the Office of the Under Secretary of Defense for Acquisition & Sustainment OUSD(A&S). On or after October 1, 2025, compliance through the new regulation (DFAR 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement), will be included in all solicitations, contracts, and task orders or delivery orders. The requirement will apply to awards, including those using FAR part 12, procedures for the acquisition of commercial items, (except for procurement of commercially available off-the-shelf (COTS) items.