The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.

The interim rule has an immediate effect for DoD contractors and subcontractors that are already required to comply with the security controls in NIST SP 800-171, as it institutes a new assessment and reporting system to verify compliance prior to contract award.  With respect to the CMMC, the interim rule largely is consistent with what DoD previously has shared (see our articles here and here for more information). CMMC requirements may be included in solicitations and contracts through September 30, 2025 only where approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.  On or after October 1, 2025, CMMC will apply to all DoD solicitations and contracts (with very limited exceptions, including procurements solely for commercially available off-the-shelf items).

Putting it Into Practice. This rule has immediate implications for all companies that do business with DoD (either directly or indirectly). DoD contractors (and subcontractors) need to assess what type(s) of information they have as well as which assessment(s) will apply to them. Companies outside of the Defense Industrial Base can benefit from following closely what DoD is doing as it is expected other government agencies and regulators will adopt the same or a similar approach for cybersecurity in the near future.