At a recent Town Hall Meeting hosted by the CMMC Accreditation Body, a Defense Contract Management Agency representative announced that they will begin assessing contractors’ compliance against NIST SP 800-171 security controls through the “Medium Assessment” process that the DoD prescribed in the interim rule that created Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020. In a Medium Assessment, the Government reviews the contractor’s current documentation (primarily the System Security Plan) and the contractor’s previous self-assessment, which contractors were required to complete by November 2020. The representative explained that he expects these assessments to begin in “a couple months.”
Source:
