Memos - eResilience

RESOURCES

Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012

The DoD has circulated this Memo to contracting officers to remind them of contractor cyber compliance requirements and emphasize penalties that can be levied against non-compliant contractors. Link|Download

DoD CIO taking over CMMC program

The DoD has announced that the DoD CIO will be taking over the responsibility for the CMMC program, effective immediately. The office formerly responsible for CMMC (CISO, USD A&S), will be disestablished, and CMMC implementation will continue under the direction of the DoD CIO. Link | Download

Department of Justice Announcement of new initiative to enforce DoD Cybersecurity Regulations

The DoJ has announced a new civil cyber-fraud initiative that will use the False Claims Act to enforce DoD cybersecurity regulations. Link

Supplier Performance Risk System for NIST SP 800-171 DoD Assessment

The DoD has updated its Supplier Performance Risk System (SPRS) which will now store results from DoD NIST 800-171 Basic, Medium, and High assessments. The SPRS will be accessible by DoD components for the purpose of assessing contractor cybersecurity readiness levels. Link | Download

Update: NIST SP 800-171 DoD Assessment Methodology Version 1.2.1

The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote "virtual" assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place. Link | Download

UPDATED: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76

The DoD has published an update to the DFARS 7012 FAQ, covering important questions and clarifications. Link | Download

Memorandum: NIST SP 800-171 DoD Assessment Methodology v1.0 (November 14, 2019)

This Memo and associated document describes the new DoD Assessment Methodology that includes both a scoring system to establish an overall score based on the number of requirements that have been successfully implemented, as well as a confidence rating of Basic, Medium, or High depending on the type of assessment / attestation conducted in determining the score. Link | Download

- NIST SP 800-171 DoD Assessment Methodology v1.0 Document: Link | Download

Memorandum: Change 18-08 of the Navy Marine Corps Acquisition Regulation Supplement (NMCARS) (September 6, 2019)

This memo from the Deputy Assistant Secretary of the Navy (Acquisition and Procurement) announces immediate changes to the NMCARS, requiring the inclusion of Annex 16 in the statements of work of solicitations, contracts, and task or delivery orders when the DON Program Manager, Program Executive Officer, or Chief of Naval Research, in coordination with the Resource Sponsor, determines that the risk to a critical program and/or technology warrants its inclusion. Link | Download

- Complete Updated NMCARS Incorporating Change 18-08 (September 6, 2019) Download
  - - Excerpt from the NMCARS Change 18-08 describes potential penalties for cybersecurity non-compliance: Download
    - Annex 16 of the NMCARS adds enhanced cybersecurity requirements for selected programs: Download

Establishment of the Chief Information Security Office Memorandum (July 24, 2019)

This memo from Kevin Fahey, Assistant Secretary of Defense for Acquisition, establishes the CISO office with Katie Arrington as CISO. This establishes her authority to implement the CMMC program. Download

Memorandum from the Under Secretary of Defense: Strategically Implementing Cybersecurity Contract Clauses (February 5, 2019)

This memo instructs the Defense Contract Management Agency (DCMA) to negotiate the inclusion of DFARS clause 252.204-7012 into existing contracts that don’t currently include the clause, as well as to strategically obtain and assess contractor system security plans and any associated plans of action. Link | Download

Memorandum from The Under Secretary of Defense: Addressing Cybersecurity Oversight as Part of a Contractor’s Purchasing System Review (January 21, 2019)

This memo instructs the Defense Contract Management Agency (DCMA) to begin validating contractor compliance with the requirements of DFARS clause 252.204-7012 and review contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS 252.204-7012 and NIST 800-171. Link | Download

Memorandum from the Assistant Secretary of Defense (with Sample SOW Language): Strengthening Contract Requirements Language for Cybersecurity in the Defense Industrial Base (December 17, 2018)

This memo provides contracting officers with sample Statement of Work (SOW) or Contract Data Requirements List (CDRL) language to ensure that the government can access multiple tiers of contractor and subcontractor System Security Plans (SSP) as well as access contractor plans to track flow down of CDI and assess compliance of suppliers. Link | Download

Memorandum from the Office of the Under Secretary of Defense: Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (November 6, 2018)

This memo notifies contracting officers of the release of the final versions of two important procurement guidance documents that provide instructions on how to assess contractor compliance with DFARS 7012 requirements, as an evaluation factor for new contract awards. Link | Download

- Guidance for Assessing of and Enhancing Protections for a Contractor's Internal Unclassified Information System: Link | Download
- DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented: Link | Download

Memorandum from the Office of the Under Secretary of Defense: Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (September 21, 2017)

This memo, released prior to the December 31, 2017 DFARS 7012 compliance deadline, instructed government contracting officers on how to interpret the DFARS 7012 clause, and provided guidance on how to incorporate cybersecurity compliance as an evaluation factor in risk-based procurement decisions. Link | Download

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_gat_gtag_UA_136970874_1	1 minute	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description