Pentagon finalizes change to acquisition rules setting up DOD methodology for cyber assessment standard

By Sara Friedman  / November 21, 2023

The Pentagon will use a methodology developed by the Defense Contract Management Agency's Defense Industrial Base Cyber Assessment Center for National Institute of Standards and Technology Special Publications 800-171 assessments moving forward, according to a final rule formalizing an arrangement that is seen as a placeholder for the upcoming rollout of the Cybersecurity Maturity Model Certification program.

The change to the Defense Federal Acquisition Regulation Supplement is part of a final rule issued on Friday containing several technical amendments.

The Defense Department issued an interim final rule in 2020 containing three new DFARS clauses intended to make defense contractors accountable for implementing NIST 800-171, the agency’s foundational guide for handling controlled unclassified information.

The program was put on hold during an internal review in 2021. Major changes to the program were announced in November 2021.

The Pentagon launched a process in 2022 where contractors would be able to get joint surveillance assessments based on NIST 800-171 with the intent that the assessments would be converted into a level two CMMC certification when the program is finalized.

The initial NIST 800-171 requirement went into effect on Dec. 31, 2017. Companies were required to self-attest compliance and provide a system security plan if requested. As part of that process, the DIBCAC developed a methodology where they could determine a “score” based on the 110 controls in NIST 800-171 for companies who volunteered to get an assessment.

The new technical amendment adds the methodology to the defense acquisition rules in Clauses 252.204-7019 and 252.204-7020. The link in the old DFARS statute went directly to NIST SP 800-171.

On Friday, DOD also issued a separate proposed rule on “commercial products, commercial services and commercially available off-the-shelf items.” The rule is a requirement from sections of National Defense Authorization Act from fiscal 2018 and 2019.

Notably, the proposed rule makes it clear that the requirements for the acquisition of COTS items are not applicable to contracts that need to meet NIST 800-171 requirements. This is in alignment with three clauses in the 2020 interim final rule and DFARS 252.204-7008, which concerns compliance with safeguarding covered defense information controls.