WHAT: After clearing the interagency review conducted by the Office of Management and Budget (OMB), the U.S. Department of Defense (DOD) has released a long-awaited interim rule to implement not one, but two new frameworks for verifying contractor compliance with cybersecurity requirements: (1) NIST SP 800-171 DOD Assessment Methodology and (2) the Cybersecurity Maturity Model Certification (CMMC).
WHEN: The interim rule was released today, September 29, 2020 and is scheduled to become effective on November 30, 2020.
WHAT DOES IT MEAN FOR INDUSTRY: This interim rule combines two items: (1) a new assessment framework, which will have an immediate impact on contractors, and (2) additional information about the long-anticipated CMMC framework, which DOD will roll out over the next five years.
The immediate impact comes from the NIST SP 800-171 DOD Assessment Methodology. Under this framework, contractors will be required to complete a self-assessment of their compliance with NIST SP 800-171 before they can receive DOD contracts. This framework also gives DOD new tools for verifying a contractor’s compliance.
