The Pentagon is planning to issue a final rule in December establishing a regime for Defense Department acquisition officials to conduct assessments of a contractor's compliance with NIST Special Publication 800-171.
The December final rule concerns the NIST 800-171 Assessment Methodology, which “enables DOD to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations,” according to the Spring 2022 Unified Agenda of Regulatory and Deregulatory Actions. The agenda was released on June 21.
Final rulemaking will cement provisions from a November 2020 interim final rule that directed contractors to submit NIST 800-171 compliance scores into the Supplier Performance Risk System and allow auditors from the Defense Contract Management Agency to conduct follow up assessments.
The unified agenda says the third clause in the 2020 rule regarding the Pentagon’s Cybersecurity Maturity Model Certification program will be addressed in two separate rulemakings scheduled for publication in March 2023.
The Pentagon’s acquisition office issued a June 16 memorandum reminding acquisition officials about the NIST 800-171 requirement and potential remedies for non-compliance if companies do not make progress on their submitted plan of action and milestones (POA&M).
“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements," the memo said. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”
It continues, “Contracting Officers should consult with legal counsel as well as the program office or requiring activity to discuss appropriate remedies for the specific circumstances surrounding individual contracts.”
The CMMC rulemakings align with recent remarks from program director Stacy Bostjanick.
DOD plans to issue a new interim final rule amending Title 32 of the Code of Federal Regulations in March 2023. The unified agenda entry says, “This rule is related to DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which specifies the CMMC requirement at the level specified for a contract and for the duration of the contract with the DIB contractor.“
The agenda continues, “This rule will specify the CMMC requirements, at CMMC Level 1, 2, or 3, with which DIB contractors must comply in advance of a contract award, as well as the process for obtaining and maintaining CMMC certification, as required for a designated DOD contract.”
Subject to “pending codification in title 32 CFR of the Cybersecurity Maturity Model Certification (CMMC) program,” DOD will release a final rule to update Title 48 of the CFR in March 2023, according to a second entry in the unified agenda.
The second entry says, “This rule provides the Department with assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”
The Pentagon expects CMMC requirements to start showing up in contracts in May 2023 under a phased-in approach.
During a June webinar, Bostjanick said, “We are going to make sure that we meter it out to the point where we don’t have anyone that fails to be able to get certified and is unable to participate in a contract that they wish to participate on.”
However, Bostjanick said timing is subject to change during the rulemaking process after the Title 32 rule is submitted to the Office of Management and Budget for review.
“If OMB doesn’t grant us an interim rule, everything would shift later out by another year. It would be March 2024 before we could get a final rule. That would mean you see [CMMC] in contracts in May 2024,” Bostjanick said.