DoD publishes long awaited interim rule on CMMC

At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well.

NIST SP 800-171 DoD Assessment Methodology

For contractors already required to comply with NIST SP 800-171, per DFARS 252.204-7012, DoD now is going to hold those contractors accountable, instituting an assessment and reporting system to verify compliance before new contracts can be awarded. While the new requirement is for information to be provided prior to contract award, DoD encourages affected contractors to begin their self-assessments immediately.

The Assessment Methodology will include three assessment levels: (1) Basic, (2) Medium, and (3) High. The Basic Assessment will be a self-assessment completed by the contractor prior to contract award, while the Medium and High Assessments are available options for DoD to complete after award. DoD estimates it will conduct 200 Medium Assessments and 110 High Assessments each year. Additional information regarding DoD assessments is available here.

There is a specific scoring methodology to be followed for the Assessment. A contractor that has fully implemented all 110 NIST SP 800-171 controls will have a score of “110.” It goes without saying that contractors will need to be careful here – an inaccurate report could subject a company to exposure under the False Claims Act.

Assessments will be valid for three years unless there are issues requiring a reassessment sooner. The newly-announced Assessment Methodology appears to be an immediate solution to provide DoD some peace of mind on contractor data security until the CMMC program can be fully implemented.

Continue reading at the Sheppard Mullin GovCon Blog.

NIST SP 800-171 DoD Assessment Methodology

Contracting News

GAO holds solicitation requirement violates SBA’s regulations regarding small business mentor-protégé joint ventures

Virginia businessman sentenced for bribery of FBI official

New Executive Order requires many federal contractors to increase minimum wage for workers to $15 by 2022

Construction firm pays $2.5 million to settle allegations of exploiting SDVOSB program

Mandatory breach notification requirements are coming for government contractors

Contracting Tips

Five things you should know about past performance when teaming

5 things you should know: SBA’s recent 8(a) program updates

SBA OHA: Ownership and control are not the same in the WOSB program

Five things you should know about responding to size protests

SBA extends the HUBZone map freeze to June 30, 2023

GTPAC News

DLA hosting aviation industry day virtual conference June 8th and 9th

Georgia Defense Industrial Base Task Force hosting CMMC summit May 18th

The VA’s OSDBU Direct Access Program is hosting a large number of small business events

SBA hosting “Contract Bonds and Surety Bond Guarantee” webinar April 20th

GSA hosting “Getting on the GSA Schedule” webinar April 13th

Georgia Tech News

Control system helps several drones team up to deliver heavy packages

Georgia Tech and partners to help NASA advance deep space exploration

Georgia Tech structure certified as ‘living building’

Georgia Tech creates new Office of Corporate Engagement

Delta Jacket wins 2021 Georgia Tech InVenture prize