Under a new interim rule, Defense Department contractors must have a current assessment on file of their compliance with the security controls in NIST SP 800-171, to be considered for an award. The department has recently taken two little-noticed actions that may provide some insight into how it plans to use these assessment scores.
- First, DoD added to a FAQ list a note that such scores were intended to be used to support “basic,” “medium,” and “high” assessments and to provide “an objective assessment of a contractor’s NIST 800-171 implementation status.” The department also clarified that there will not be a score threshold for “passing.”
- A proposed rule makes these summary scores a required evaluation factor for all solicitations for supplies and services, including those for commercial items, and amends DFARS by requiring contracting officers to use them as a factor in determining responsibility to “reduce supply chain risk.”