The Federal Register has published a proposed 48 CFR ruling “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)” This proposed ruling would amend the DFARS to incorporate contractual requirements related to the CMMC program. Public comments will be accepted for 60 days after the date of publication in the Federal Register. Link | Download

A new Contract Management magazine article from eResilience discusses supply chain cyber compliance risk and explores issues and strategies that prime contractors should be aware of when sharing CUI with suppliers and subcontractors. This article appeared in the August 2024 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission. Link | Download

The DoD Office of the Undersecretary of Defense for Intelligence and Security (I&S) released a set of briefing slides providing information on DoD implementation of the CUI program. Link | Download

The DoD has issued a Class Deviation to modify the DFARS 252.20 4-7012 clause so that instead of requiring CUI-handling contractors to implement specifically NIST SP 800-171 Revision 2 instead of “the version of NIST SP 800-171 in effect at the time the solicitation is issued”. This means the CMMC program will continue to use 171 R2 as the underlying standard for compliance even after 171 R3 becomes final. The class deviation is effective immediately and will remain in effect indefinitely, until rescinded.  Link | Download

The DoD released a final rule that revises eligibility criteria for the voluntary DIB Cybersecurity Program, allowing all contractors who handle CDI (DoD CUI) to benefit from bilateral information sharing, which was previously available only to cleared contractors. This ruling also replaces the need for a Medium Assurance Certificate to access the DIBNet portal for cyber incident reporting by allowing registration for DIBNet access through the Procurement Integrated Enterprise Environment (PIEE).  Link | Download

The DoD has released the proposed final ruling for the CMMC program. Link | Download

The September 2023 issue of Contract Management magazine features an article from eResilience focused on supply chain cyber risk management.  Download

(NCMA members can view the article online by logging in to see the complete September issue at  “https://ncmahq.org/Web/Web/Insights/Contract-management-Magazine.aspx”)

This article appeared in the September 2023 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission.

The Inspector General has released a new report on the implementation of the DoD’s CUI program.   Link | Download

NIST has released the initial public draft of SP 800-171 Revision 3, which includes updates to the security requirements and families, updated tailoring criteria, and other enhancements.

Link | Download

The Government Accountability Office (GAO) released a report indicating multiple areas that need improvement in the DoD Cyber Incident Reporting process.

Highlights: Link | Download

Full Report: Link | Download

This “Pre-Decisional Draft” CAP document details the proposed CMMC Assessment Process that will be utilized by certified Assessors when conducting evidence-based assessments for CMMC Level 2 certification. Note that this document is still in draft form and not yet considered final. Link | Download

The DoD has circulated this Memo to contracting officers to remind them of contractor cyber compliance requirements and emphasize penalties that can be levied against non-compliant contractors. Link|Download

The DoD Office of the Inspector General released the findings of an audit regarding NIST 800-171 compliance among DoD research contractors and academic institutions, finding that the protection of CUI is not adequate and that contracting officers must increase the emphasis on compliance.  Link | Download

The DoD has announced that the DoD CIO will be taking over the responsibility for the CMMC program, effective immediately. The office formerly responsible for CMMC (CISO, USD A&S), will be disestablished, and CMMC implementation will continue under the direction of the DoD CIO.  Link | Download

The DoD has released the new Assessment Guide for CMMC 2.0 Level 1. This document provides guidance for companies to correctly perform their Level 1 self-assessments, which must be conducted annually, reported to SPRS, and affirmed by a senior company official when contracts require CMMC 2.0 Level 1.   Link | Download

The DoD has released details of the new CMMC 2.0 Model, along with scoping guidance for Level 1 “Foundational” and Level 2 “Advanced” certification, as well as a CMMC 2.0 Artifact Hashing Guide.

• CMMC 2.0 Model:  Link |Download
• CMMC 2.0 Level 1 Scoping: Link |Download
• CMMC 2.0 Level 2 Scoping: Link |Download
• CMMC 2.0 Artifact Hashing Tool User Guide: Link |Download

The DoD has announced an update to the Cybersecurity Maturity Model Certification (CMMC) program. CMMC 2.0 will incorporate many important changes to the planned implementation of CMMC. Link

The DoJ has announced a new civil cyber-fraud initiative that will use the False Claims Act to enforce DoD cybersecurity regulations. Link

The CMMC Assessment Guide for Level 3 provides information about the assessment objectives and types of evidence that assessors will need to review in order to validate the successful implementation of CMMC practices and processes.                 Link| Download (Level 1)         Link |  Download (Level 3)

NIST has released the draft version of its assessment guide for NIST 800-172 (Formerly NIST 800-171B) Link | Download

The DoD has cleared a briefing from November 2020 on CUI Awareness and Marking for public release. These slides provide good information about how CUI is identified and marked. Link | Download

The DoD has released a list of the new Limited Dissemination Control (LDC) Markings and descriptions of what each marking means. Link | Download

The DoD has issued an interim rule to amend the DFARS cybersecurity regulations to implement a DoD Assessment Methodology and Cybersecurity Maturity Model (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Comments on the interim rule should be submitted in writing on or before 60 days after date of publication in the Federal Register.) Link | Download

Enhanced security requirements for protecting Controlled Unclassified Information: A supplement NIST SP 800-171 (Final public draft)  Link |Download

This update to the DFARS Cyber FAQs provides important new information and answers to additional questions. Link | Download

The DoD has updated its Supplier Performance Risk System (SPRS) which will now store results from DoD NIST 800-171 Basic, Medium, and High assessments. The SPRS will be accessible by DoD components for the purpose of assessing contractor cybersecurity readiness levels. Link | Download

The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote “virtual” assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place.  Link | Download

The DoD has published an update to the DFARS 7012 FAQ, covering important questions and clarifications. Link | Download

This new DoD Instruction document establishes an official DoD CUI registry and associated DoD-wide policies, responsibilities, and procedures for CUI. Link | Download

This is the final release of NIST SP 800-171 Rev. 2, which supersedes the previous SP 800-171 Rev.1. Revision 2 includes minor editorial changes but does not change the basic or derived security requirements.  Link | Download

• DoD official release of CMMC Model V1.0 Completed Public Briefing: Link | Download
• DoD CMMC Model Appendices V1.0:  Link | Download

The newly updated DoD Instruction 8582.01 replaces the previous version issued June 6th, 2012. This instruction comes from the office of the Chief Information Officer of the Department of Defense, to establish policies, assign responsibilities, and provide directions for managing security on all non-DoD systems that store or process any non-public DoD information, including CUI Link |Download

Version 0.7 of the draft CMMC is a complete model that includes all levels from 1 through 5, along with appendices that provide clarifications and discussion points. Link | Download

The CUI registry helps you understand what type of information is considered sensitive. There are many types and categories of CUI, and the registry provides descriptions as well as information and resources about marking and dissemination controls. Link

This Memo and associated document describes the new DoD Assessment Methodology that includes both a scoring system to establish an overall score based on the number of requirements that have been successfully implemented, as well as a confidence rating of Basic, Medium, or High depending on the type of assessment / attestation conducted in determining the score.
Link | Download

• • NIST SP 800-171 DoD Assessment Methodology v1.0 Document: Link | Download

This is the most recent draft of the CMMC, taking into account industry feedback that was received by DoD after releasing CMMC Draft version 0.4 for public comments in September 2019.
Link | Download

This 2019 report provides analysis and results from NDIA cybersecurity surveys, indicating that attacks are common, the supply chain is vulnerable, and there is widespread non-compliance throughout the DIB. Link | Download

This memo from the Deputy Assistant Secretary of the Navy (Acquisition and Procurement) announces immediate changes to the NMCARS, requiring the inclusion of Annex 16 in the statements of work of solicitations, contracts, and task or delivery orders when the DON Program Manager, Program Executive Officer, or Chief of Naval Research, in coordination with the Resource Sponsor, determines that the risk to a critical program and/or technology warrants its inclusion. Link | Download

• • Complete Updated NMCARS Incorporating Change 18-08 (September 6, 2019) Download
    • • Excerpt from the NMCARS Change 18-08 describes potential penalties for cybersecurity non-compliance: Download
      • Annex 16 of the NMCARS adds enhanced cybersecurity requirements for selected programs: Download

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released the Cybersecurity Maturity Model Certification (CMMC) version 0.4 for stakeholder feedback. Link | Download

• • Overview Briefing of the release: Link | Download

This memo from Kevin Fahey, Assistant Secretary of Defense for Acquisition, establishes the CISO office with Katie Arrington as CISO. This establishes her authority to implement the CMMC program. Download

The Department of Defense Office of Inspector General (DoD OIG) released an audit report regarding the protection of Controlled Unclassified Information (CUI) on contractor networks. The audit found that DoD contractors did not consistently implement DoD-mandated system security controls for safeguarding Defense information. Link | Download

• • Brief Results: Link

This is the most recent update of the DCMA Guidebook for auditors conducting Contractor Purchasing System Review (CPSR). APPENDIX 24, starting on Page 97, includes instructions to evaluators on how to assess contractor compliance with DFARS / NIST Cybersecurity regulations and requires contractors to demonstrate how they are tracking and assessing the compliance of their suppliers. Link | Download

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) launched a website that hosts additional background on the proposed CMMC, including a list of FAQs. Link

Draft NIST SP 800-171B provides additional recommendations for enhanced security requirements to protect Controlled Unclassified Information (CUI) from advanced persistent threats (APTs). Link | Download

NIST describes draft NIST SP 800-171 Rev. 2 as “minor editorial changes”. Link | Download

The independent Cybersecurity Readiness Review, requested by The Secretary of the Navy, examined the Department of the Navy’s cybersecurity posture and identified five critical pillars key to cybersecurity readiness: culture, people, structure, processes, and resources. Link | Download

This memo instructs the Defense Contract Management Agency (DCMA) to negotiate the inclusion of DFARS clause 252.204-7012 into existing contracts that don’t currently include the clause, as well as to strategically obtain and assess contractor system security plans and any associated plans of action.
Link | Download

This memo instructs the Defense Contract Management Agency (DCMA) to begin validating contractor compliance with the requirements of DFARS clause 252.204-7012 and review contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS 252.204-7012 and NIST 800-171. Link | Download

This memo provides contracting officers with sample Statement of Work (SOW) or Contract Data Requirements List (CDRL) language to ensure that the government can access multiple tiers of contractor and subcontractor System Security Plans (SSP) as well as access contractor plans to track flow down of CDI and assess compliance of suppliers. Link | Download

This memo notifies contracting officers of the release of the final versions of two important procurement guidance documents that provide instructions on how to assess contractor compliance with DFARS 7012 requirements, as an evaluation factor for new contract awards. Link | Download

• • Guidance for Assessing of and Enhancing Protections for a Contractor’s Internal Unclassified Information System: Link | Download
  • DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented: Link | Download

“Deliver Uncompromised” is an Advisory Document for the United States Government that provides insight and recommendations relating to the security of the defense industrial base, touching a range of topics including legislation and regulation, policy and administration, acquisition and oversight, programs and technology. The Deliver Uncompromised report recommends establishing security as the “4th Pillar” of defense acquisition, equal in importance to cost, performance, and schedule. Download

This set of 110 NIST security requirements is derived from NIST 800-53, a broader set of standards used for protecting CUI on Federal systems. Link | Download

This is the government’s Special Publication that provides guidance for assessing compliance with NIST 800-171. The 171A guidance describes what evidence is needed and how to conduct a total of 320 objective tests to be used for validating successful implementation of the 110 security requirements of NIST 800-171. Link | Download

This important set of FAQs provides the Government’s clarifications and answers to many questions from industry about how to interpret the clause and what the Government’s expectations are regarding cost recovery, supply-chain flow-down, and other key issues. Link | Download

• • Original version with highlights: Download

This memo, released prior to the December 31, 2017 DFARS 7012 compliance deadline, instructed government contracting officers on how to interpret the DFARS 7012 clause, and provided guidance on how to incorporate cybersecurity compliance as an evaluation factor in risk-based procurement decisions. Link | Download

This cybersecurity safeguarding clause is now in all DoD contracts other than purely commercial off-the-shelf procurements, and says that at a “minimum”, contractors must implement NIST 800-171 requirements in order to provide “adequate security” if they store or handle Covered Defense Information (CDI). Link