Government Contracts Rule Adds Cybersecurity Requirements for DoD Supply Chain
Tuesday, October 27, 2020

Rule Adds Cybersecurity Requirements for DoD Supply Chain

By Government Contracts Editorial Staff

The Department of Defense has issued an interim rule, with a delayed effective date, which amends the Defense Federal Acquisition Regulation Supplement to implement a Department of Defense Assessment Methodology and Cybersecurity Maturity Model Certification framework that assesses contractor implementation of cybersecurity requirements and enhances the protection of unclassified information within the DoD supply chain. As part of multiple lines of effort focused on the security and resiliency of the Defense Industrial Base sector, DoD is working with industry to enhance the protection of unclassified information. Toward this end, DoD has developed the National Institute of Standards and Technology Special Publication 800–171 DoD Assessment Methodology and the CMMC Framework. More information on the NIST SP 800–171 DoD Assessment Methodology is available at The CMMC framework builds on this methodology and adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. The CMMC model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community. Additional information on CMMC and a copy of the CMMC model can be found at

Amendments. This rule amends DFARS Subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting, to implement the NIST SP 800–171 DoD Assessment Methodology. The changes direct contracting officers to verify in the Supplier Performance Risk System ( that an offeror has a current NIST SP 800–171 DoD Assessment on record, prior to contract award, if the offeror is required to implement NIST SP 800–171 pursuant to the clause at DFARS 252.204-7012. DFARS 204.7304 prescribes a new solicitation provision at DFARS 252.204-7019, Notice of NIST SP 800–171 DoD Assessment Requirements, which advises that offerors are required to implement the NIST SP 800–171 standards of the requirement to have a current (not older than three years) NIST SP 800–171 DoD Assessment on record to be considered for award. The rule also adds a new contract clause at DFARS 252.204-7020, NIST SP 800–171 DoD Assessment Requirements, which requires a contractor to provide the government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level assessment. The clause also requires the contractor to ensure that applicable subcontractors have the results of a current assessment posted in SPRS prior to awarding a subcontract or other contractual instruments.

New Subpart. In addition, the rule adds new DFARS Subpart 204.75, Cybersecurity Maturity Model Certification, to specify the policy and procedures for awarding a contract, or exercising an option on a contract, that includes the requirement for a CMMC certification. Specifically, this subpart directs COs to verify in SPRS that the apparently successful offeror’s or contractor’s CMMC certification is current and meets the required level prior to making the award. DFARS 204.7503 prescribes a new clause at DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which requires a contractor to maintain the requisite CMMC level for the duration of the contract, ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments, and include the clause requirements in all subcontracts or other contractual instruments. The rule also makes conforming changes to the DFARS 212.301 list of solicitation provisions and contract clauses that apply to the acquisition of commercial items, and to DFARS 217.207, Exercise of Options, to advise COs that an option may only be exercised after verifying the contractor’s CMMC level, when CMMC is required in the contract. This interim rule goes into effect on November 30, 2020. Comments on rule, identified by DFARS Case 2019-D041, are due by November 30, 2020. For the text of the rule, see ¶70,017.51.

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More