RESOURCES
NEW 48 CFR Proposed Ruling Published by DoD
The Federal Register has published a proposed 48 CFR ruling "Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)" This proposed ruling would amend the DFARS to incorporate contractual requirements related to the CMMC program. Public comments will be accepted for 60 days after the date of publication in the Federal Register. Link | Download
NEW DoD issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems
The DoD has issued a Class Deviation to modify the DFARS 252.20 4-7012 clause so that instead of requiring CUI-handling contractors to implement specifically NIST SP 800-171 Revision 2 instead of "the version of NIST SP 800-171 in effect at the time the solicitation is issued". This means the CMMC program will continue to use 171 R2 as the underlying standard for compliance even after 171 R3 becomes final. The class deviation is effective immediately and will remain in effect indefinitely, until rescinded. Link | Download
NEW Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities
The DoD released a final rule that revises eligibility criteria for the voluntary DIB Cybersecurity Program, allowing all contractors who handle CDI (DoD CUI) to benefit from bilateral information sharing, which was previously available only to cleared contractors. This ruling also replaces the need for a Medium Assurance Certificate to access the DIBNet portal for cyber incident reporting by allowing registration for DIBNet access through the Procurement Integrated Enterprise Environment (PIEE). Link | Download
Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012
The DoD has circulated this Memo to contracting officers to remind them of contractor cyber compliance requirements and emphasize penalties that can be levied against non-compliant contractors. Link|Download
DoD Inspector General Report: Audit of the Protection of Military Research Information and Technologies Developed by Department of Defense Academic and Research Contractors
The DoD Office of the Inspector General released the findings of an audit regarding NIST 800-171 compliance among DoD research contractors and academic institutions, finding that the protection of CUI is not adequate and that contracting officers must increase the emphasis on compliance. Link | Download
CMMC 2.0: Level 1 Self-Assessment Guide
The DoD has released the new Assessment Guide for CMMC 2.0 Level 1. This document provides guidance for companies to correctly perform their Level 1 self-assessments, which must be conducted annually, reported to SPRS, and affirmed by a senior company official when contracts require CMMC 2.0 Level 1. Link | Download
CMMC 2.0 Model and Scoping Guidance
The DoD has released details of the new CMMC 2.0 Model, along with scoping guidance for Level 1 "Foundational" and Level 2 "Advanced" certification, as well as a CMMC 2.0 Artifact Hashing Guide.
CMMC 2.0 Announced
The DoD has announced an update to the Cybersecurity Maturity Model Certification (CMMC) program. CMMC 2.0 will incorporate many important changes to the planned implementation of CMMC. Link
CMMC Level 1 and Level 3 Assessment Guides
The CMMC Assessment Guide for Level 3 provides information about the assessment objectives and types of evidence that assessors will need to review in order to validate the successful implementation of CMMC practices and processes. Link| Download (Level 1) Link | Download (Level 3)
NIST SP 800-172 “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”
NIST 800-172 prescribes enhanced security requirements designed to further protect Controlled Unclassified Information (CUI) from advanced persistent threats by protecting the confidentiality, integrity, and availability of that information on nonfederal information systems associated with critical programs or high value assets. This publication does not replace NIST SP 800-171, but creates additional security requirements that will need to be implemented for selected systems. Link | Download
Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
The DoD has issued an interim rule to amend the DFARS cybersecurity regulations to implement a DoD Assessment Methodology and Cybersecurity Maturity Model (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Comments on the interim rule should be submitted in writing on or before 60 days after date of publication in the Federal Register.) Link | Download
Update: NIST SP 800-171 DoD Assessment Methodology Version 1.2.1
The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote "virtual" assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place. Link | Download
Cybersecurity Maturity Model Certification (CMMC) Version 1.0 Released (January 31, 2020)
The DoD has released the official version of CMMC v1.0. This document is effective immediately and provides clarification on what the requirements will be for each level of CMMC certification.
Updated DoD Instruction 8582.01 (December 9, 2019)
The newly updated DoD Instruction 8582.01 replaces the previous version issued June 6th, 2012. This instruction comes from the office of the Chief Information Officer of the Department of Defense, to establish policies, assign responsibilities, and provide directions for managing security on all non-DoD systems that store or process any non-public DoD information, including CUI Link |Download
Memorandum: NIST SP 800-171 DoD Assessment Methodology v1.0 (November 14, 2019)
This Memo and associated document describes the new DoD Assessment Methodology that includes both a scoring system to establish an overall score based on the number of requirements that have been successfully implemented, as well as a confidence rating of Basic, Medium, or High depending on the type of assessment / attestation conducted in determining the score. Link | Download
Memorandum: Change 18-08 of the Navy Marine Corps Acquisition Regulation Supplement (NMCARS) (September 6, 2019)
This memo from the Deputy Assistant Secretary of the Navy (Acquisition and Procurement) announces immediate changes to the NMCARS, requiring the inclusion of Annex 16 in the statements of work of solicitations, contracts, and task or delivery orders when the DON Program Manager, Program Executive Officer, or Chief of Naval Research, in coordination with the Resource Sponsor, determines that the risk to a critical program and/or technology warrants its inclusion. Link | Download
Establishment of the Chief Information Security Office Memorandum (July 24, 2019)
This memo from Kevin Fahey, Assistant Secretary of Defense for Acquisition, establishes the CISO office with Katie Arrington as CISO. This establishes her authority to implement the CMMC program. Download
Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems DoDIG-2019-105 (July 23, 2019)
The Department of Defense Office of Inspector General (DoD OIG) released an audit report regarding the protection of Controlled Unclassified Information (CUI) on contractor networks. The audit found that DoD contractors did not consistently implement DoD-mandated system security controls for safeguarding Defense information. Link | Download
- Brief Results: Link
DCMA Contractor Purchasing System Review (CPSR) Guidebook (June 14, 2019)
This is the most recent update of the DCMA Guidebook for auditors conducting Contractor Purchasing System Review (CPSR). APPENDIX 24, starting on Page 97, includes instructions to evaluators on how to assess contractor compliance with DFARS / NIST Cybersecurity regulations and requires contractors to demonstrate how they are tracking and assessing the compliance of their suppliers. Link | Download
Cybersecurity Maturity Model Certification (CCMC) Website (June 2019)
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) launched a website that hosts additional background on the proposed CMMC, including a list of FAQs. Link
Memorandum from the Under Secretary of Defense: Strategically Implementing Cybersecurity Contract Clauses (February 5, 2019)
This memo instructs the Defense Contract Management Agency (DCMA) to negotiate the inclusion of DFARS clause 252.204-7012 into existing contracts that don’t currently include the clause, as well as to strategically obtain and assess contractor system security plans and any associated plans of action. Link | Download
Memorandum from The Under Secretary of Defense: Addressing Cybersecurity Oversight as Part of a Contractor’s Purchasing System Review (January 21, 2019)
This memo instructs the Defense Contract Management Agency (DCMA) to begin validating contractor compliance with the requirements of DFARS clause 252.204-7012 and review contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS 252.204-7012 and NIST 800-171. Link | Download
Memorandum from the Assistant Secretary of Defense (with Sample SOW Language): Strengthening Contract Requirements Language for Cybersecurity in the Defense Industrial Base (December 17, 2018)
This memo provides contracting officers with sample Statement of Work (SOW) or Contract Data Requirements List (CDRL) language to ensure that the government can access multiple tiers of contractor and subcontractor System Security Plans (SSP) as well as access contractor plans to track flow down of CDI and assess compliance of suppliers. Link | Download
Memorandum from the Office of the Under Secretary of Defense: Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (November 6, 2018)
Updated DFARS Frequently Asked Questions (rev 1): FAQs regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76 (April 2, 2018)
This important set of FAQs provides the Government’s clarifications and answers to many questions from industry about how to interpret the clause and what the Government’s expectations are regarding cost recovery, supply-chain flow-down, and other key issues. Link | Download
- Original version with highlights: Download
Memorandum from the Office of the Under Secretary of Defense: Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (September 21, 2017)
This memo, released prior to the December 31, 2017 DFARS 7012 compliance deadline, instructed government contracting officers on how to interpret the DFARS 7012 clause, and provided guidance on how to incorporate cybersecurity compliance as an evaluation factor in risk-based procurement decisions. Link | Download
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016)
This cybersecurity safeguarding clause is now in all DoD contracts other than purely commercial off-the-shelf procurements, and says that at a “minimum”, contractors must implement NIST 800-171 requirements in order to provide “adequate security” if they store or handle Covered Defense Information (CDI). Link