As of November 30, certain DoD prime contractors and subcontractors will need to complete a cybersecurity self-assessment prior to receiving new contracts, and prior to exercising new options under existing ones. Additionally, they will need to ensure that any subcontractors that receive Controlled Unclassified Information have also completed the self-assessment.
Previously, contractors have been able to submit a “system security plan” that describes their level of compliance with the security controls spelled out in NIST SP-800-171, and a “plan of action and milestones” for achieving compliance. However, DoD has become concerned that this does not ensure sufficient protection of CUI in contractor systems, and fails to give them sufficient insight into the cybersecurity posture of companies within the Defense Industrial Base. The new rule will provide DoD with objective cybersecurity “scores”—and, ultimately, certification levels—for defense contractors and subcontractors.
