Three DoD DFARS will soon become permanent rules

According to a recent statement by Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, three Defense Federal Acquisition Regulation Supplements (DFARS) for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) will soon be permanent rules. (MeriTalk April 15, 2021)

The CMMC program enforces cybersecurity standards in the Defense Industrial Base (DIB) supply chain. The certification requirements will be part of all DoD contract requirements by 2026. (ibid)

The soon-to-be-permanent rules are:

  • DFARS Provision 252.204.7019 requires contractors to complete self-assessments and upload them into the DoD’s Supplier Risk Performance System (SPRS)
  • DFARS Clause 252.204.7020 takes place upon contract completion, allows DoD access to systems, facility, and personnel if DoD assesses the necessity due to risk
  • DFARS Clause 252.204.7012 requires all contractors to maintain adequate security of defense information that is “processed, stored or transmitted” on their network (ibid)

According to Arrington, 300,000 contractors need to get CMMC certified within the next five years. She said, “we have thought carefully about this, and making cybersecurity foundational to acquisition wasn’t something that we just thought “Let’s do it one time.” It has to be an enduring capability.” (ibid)

Questions concerning CMMC certification? Give us a call.

 

CMMC in GWACs

GSA is expected to begin applying the Department of Defense’s Cyber Maturity Model Certification (CMMC) at the order level to governmentwide acquisition contract vehicles. (Govconwire, November 10, 2020)

According to Keith Nakasone, deputy assistant commissioner for acquisition in the General Services Administration Office of IT, future Government Wide Acquisition Contracts (GWACs) will include CMMC requirements, layered in over time. In this video interview, Nakasone explains that the requirements are being added to make sure contracts are within scope for the Department of Defense, the largest GWAC customer. (Government Matters, November 8, 2020)

Nakasone hopes to educate and train industry partners on the CMMC requirements over time. Although he didn’t state outright that CMMC will become part of all future contracts, they are part of the Polaris draft RFP, scheduled for release in December. (ibid)

Need assistance in understanding the CMMC requirements? Give us a call.

Self-Assess No More

Cybersecurity for  Department of Defense (DoD) contractors is an ongoing issue. Now, DoD is issuing an interim rule to implement an Assessment Methodology and Cybersecurity Maturity Model Certification framework. This will assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Federal Register, DFARS Case 2019-D041 Action: Interim Rule)

The current self-attestation of NIST Special Publication (SP) 800-171 is not working due to a lack of DoD verification. Until the implementation of the interim rule, DoD did not have a mandate to verify contractor basic safeguarding or security requirements prior to contract award.  This regulation changes that. The interim rule adds a process for contractors to  implement cybersecurity requirements. This is to be accomplished while the DoD’s Cybersecurity Maturity Model Certification (CMMC) and the procedures with the Accreditation Body (AB) are solidified. (Meritalk, September 28, 2020)

Questions about how the new rule will affect your contract or upcoming bid and what you can expect? Give us a call.

CMMC Coming to Solicitations

Cybersecurity Maturity Model Certification (CMMC) requirements may show up in solicitations within six months. (GOVCONWire, May 12, 2020)

A Department of Defense spokesperson expects about 10 DoD RFIs in June to include the new requirements. She said, “As we release the RFIs, we’ll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on.” (ibid)

Additionally, changes to the Defense Federal Acquisition Regulation Supplement 252.204-7012 should be finalized by October. “You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed.” (ibid)

Questions on the Cybersecurity Maturity Model Certification and whether you can bid on upcoming solicitations? Give us a call.

CMMC not for COTS

A recent modification to DoD’s website spells out a small but very specific change about the Cybersecurity Maturity Model Certification (CMMC): it’s not applicable to DoD suppliers that only provide commercial-off-the-shelf products. (FedScoop, May 5, 2020)

Originally, DoD and CMMC administrators explained that all contractors and subcontractors must be certified under  CMMC by a third-party assessor. However, a few weeks ago, the Office of the Under Secretary of Defense for Acquisition and Sustainment changed the official website. The revised FAQ section states: “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.” (ibid)

CMMC is in place to certify contractors have the cybersecurity practices in place to work with controlled unclassified information, the actual products themselves. (ibid)

Wondering if CMMC applies to the products and or services you provide? Give us a call.