The Department of Defense has released a long awaited interim rule on contractor cybersecurity requirements, which creates a two-pronged approach for full Cybersecurity Maturity Model Certification compliance by October 2025.
First, contractors must submit NIST SP 800-171 assessments to the Supplier Performance Risk System to be eligible for any future contract or task/delivery order award. New contracts or task/delivery order awards will also require contractors to grant the government access to their facilities to perform higher level NIST SP 800-171 assessments. This requirement is related to, but separate from, CMMC.
Second, the interim rule will allow contracting officers to include CMMC requirements in future contracts with approval from the Office of the Under Secretary of Defense for Acquisition and Sustainment. All DoD contracts and subcontracts will require CMMC by October 2025.