The Department of Defense (DoD) is seeking comments on an interim rule to implement the Cybersecurity Maturity Model Certification framework and an assessment methodology as part of efforts to better protect unclassified data within the DoD supply chain and evaluate vendors’ implementation of cyber requirements.
DoD introduced the interim rule as an amendment to the Defense Federal Acquisition Regulation Supplement, according to a notice posted Tuesday on Federal Register.
The proposed regulation amends a subpart in DFARS to implement the National Institute of Standards and Technology (NIST) Special Publication 800-171 DoD Assessment Methodology. Under this amendment, contracting officers should verify in the Supplier Performance Risk System that a vendor has a current assessment on record under NIST SP 800-171 before a contract award.
The rule also directs contracting officers to validate in SPRS if the contractor’s certification under CMMC is current and meets the required cyber maturity level prior to making the award.
“A new DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in all solicitations and contracts or task orders or delivery orders, excluding those exclusively for the acquisition of COTS items,” the rule reads.
Comments on the interim rule are due Nov. 30.
Katherine Arrington, chief information security officer (CISO) for the Office of the Under Secretary of Defense for Acquisition (OUSDA) for the Department of Defense (DoD) and 2020 Wash100 Award recipient, will be featured as the keynote speaker for the Fall 2020 CMMC Forum. Click here to register for the Fall 2020 CMMC Forum.