DoD Announces New CMMC — NIST 800–171 Assessment & Contract Requirements…

4 min readNov 4, 2020

The Department of Defense (DoD) recently released an interim rule concerning implementing its Cybersecurity Maturity Model Certification (CMMC) framework. The rule announces two major updates of interest to DoD suppliers (DIBS — Defense Industrial Base Suppliers).

CyberOne can help you automate and achieve and maintain CMMC Certification with complete confidence. We can provide you and/or your supply chain with a NIST 800–171 Assessment, and our best in class SaaS GRC automation platform comes with policy templates mapped to CMMC, control build and implementation guidance, and the CMMC regulatory controls pre-crosswalked to NIST 800–171, 800–53, CSF and CIS v7.0. Contact us for more information.

CMMC Requirement Added to DoD contracts

The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract beginning on November 30, 2020.

NIST 800–171 Assessment

DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 (NIST 800–171).

Implementation of NIST 800–171 Controls

DoD has interpreted “implement” to mean that a contractor must create a System Security Plan that explains whether the contractor complies with each of the 110 security controls and a Plan of Action and Milestones (POA&M) that describes how the contractor will attain full compliance for any control not yet met.

DFARS 252.204–7012, “Safeguarding Covered Defense Information And Cyber Incident Reporting,” requires defense contractors to provide “adequate security” for covered defense information, which “at a minimum” requires contractors to “implement” NIST 800–171.

DFARS provision 252.204–7019 requires a current (not older than three years) assessment on record in a Government database called the Supplier Performance Risk System (SPRS).

Assessment Process

There are three assessment levels, which return equivalent “confidence levels”:

Basic Assessment: This is a self-assessment by contractors using the NIST 800–171 DoD Assessment Methodology. It largely consists of reviewing your System Security Plan and its adequate implementation of NIST 800–171.
Medium Assessment: This is an assessment conducted by the Government that includes reviewing the contractor’s System Security Plan and self-assessment.
High Assessment: This On-Site Assessment includes everything in the Medium Assessment, as well as verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST 800–171 security requirements have been implemented as described in the plan.

Assessment Scoring Methodology

This scoring methodology is designed to provide an objective assessment of a contractor’s NIST SP 800–171 implementation status. Partial implementation will be credited for requirements that have partial implementation built-in (e.g., multi-factor authentication, security requirement 3.5.3).

The assessment will result in a score reflecting the net effect of security requirements not yet implemented. If all security requirements are implemented, a contractor is awarded a score of 110, consistent with the total number of NIST SP 800–171 security requirements. For each security requirement not met, the associated value is subtracted from 110. Requirements are scored by weight based upon their impact on the Information System and DoD CUI and can carry a deductible score of up to 5 points when not implemented.

About CyberOne

CyberOne is modern SaaS automation for all your Governance, Risk, and Compliance needs. Built for all-size companies, build and scale your security program maturity with CyberOne’s best in class automation platform, content libraries, recognized training and implementation guidance for CMMC. ISO, SOC 2, HIPAA, PCI, and more.

For more information about CyberOne, contact us, visit our website, or read our 5/5 star reviews on Gartner’s review site Capterra.