Copyright 2015 Libero Themes.
All Rights Reserved.





New Cybersecurity Compliance for the Department of Defense Supply Chain

Wahid Vizcaino Law Firm > Uncategorized  > New Cybersecurity Compliance for the Department of Defense Supply Chain

New Cybersecurity Compliance for the Department of Defense Supply Chain

By Carmen Vizaino
Partner Wahid Vizcaino LLP

On September 29, 2020, the Pentagon set forth a new interim Defense Federal Acquisition Regulation (DFAR) known as 2019-D041. The purpose of the new rule is “to implement a Department of Defense (DoD) Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.” The public comment period on this interim rule is 60 days, so we have until November 30, 2020, to make our views known.

The goal of the proposed rule is to implement a new approach to cybersecurity for companies that are part of the defense industrial supply chain base, known as the DIB in DoD circles.  The current approach asks DIB members to self-attest they have all reached the same set of requirements to secure the controlled but unclassified information handled when executing DoD contracted work. This is known as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology. (See DFAR 252.204.7012) A basic assessment is a self-assessment completed by the contractor, while medium or high assessments are completed by the government.

The proposed change would add to this standard a varied set of requirements for a DIB member depending on what the contract requires of the company and would replace self-attestation of compliance with third-party verification of compliance. This is known as the Cybersecurity Maturity Model Certification (CMMC) framework. According to the interim rule, “the NIST SP 800-171 DoD Assessment and CMMC assessments will not duplicate efforts from each assessment, or any other DoD assessment, except for rare circumstances when a re-assessment may be necessary, such as, but not limited to, when cybersecurity risks, threats, or awareness have changed, requiring a re- assessment to ensure current compliance.”

The CMMC model uses best practices from various recognized standards including the current NIST SP 800-171 requirements in a cumulative process broken into five levels. In addition to the protection of Controlled Unclassified Information (CUI), the CMMC covers the protection of Federal Contract Information (FCI) as outlined in the regulations. The advantage of the CMMC over the current NIST regulations allow for a business to become cybersecurity complaint with less requirements based upon what the contract is asking of the company. A DIB member that cuts the lawn on a government facility may need less requirements than a member who creates parts for a fighter jet, so why force them to the same standard?

The interim rule also sets out how the third-party assessments shall be conducted. “An accredited third party (C3PAO) will conduct the assessments and upon successful completion will be awarded certification by the CMMC-AB. This information is recorded in the Supplier Performance Risk System (SPRS) for confirmation prior to a future contract award. CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively commercial off the shelf, COTS, items) valued at greater than the micro-purchase threshold” [currently $10,000 based on 10 U.S.C. §2338], “starting on or after October 1, 2025.” In short, this means the CMMC Accrediting Body is the only entity that can certify your company and you have to use a third-party assessor licensed through that entity, and everyone in the DIB will have to comply by the end of fiscal year 2025.

New Rules
The interim rules proposed are in the form of three new DFARS and they are as follows:

“The new DFARS provision 252.204-7019 advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award.” So, if you have a contract with DoD now, you are likely good to go until the end of that contract or three years from the start of that contract. Whichever comes first.

“The new DFARS clause 252.204-7020 requires a contractor to provide the government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level assessment.”

“A new DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in all solicitations and contracts or task orders or delivery orders, excluding those exclusively for the acquisition of COTS items. This DFARS clause requires a contractor to: Maintain the requisite CMMC level for the duration of the contract; ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments; and include the requirements of the clause in all subcontracts or other contractual instruments.” This is applicable at the time of the award.

“To achieve the desired policy outcome, DoD intends to apply the new provision and clauses to contracts and subcontracts for the acquisition of commercial items and to acquisitions valued at or below the simplified acquisition threshold, but greater than the micro-purchase threshold. The provision and clauses will not be applicable to contracts or subcontracts exclusively for the acquisition of commercially available off-the-shelf items.”

While “the cost of these CMMC assessments will be driven by multiple factors including market forces, the size and complexity of the network or enclaves under assessment, and the CMMC level”, some costs for company assessments have been estimated in the DFARS 2019-D041 document. The estimated costs project how much the company will likely invest in staff time to work with the assessor and separately project how many hours the assessor will likely spend conducting the actual assessment. Each of those times are converted into dollars to arrive at the estimated cost for a particular third-party assessment. For example, the total cost for a CMMC Level 1 assessment is $2,995.56. This is based upon $1,166.48 for contractor support, your company employee time, and $1833.08 for the time of the actual third-party assessor.


  • erotik
    Reply November 14, 2020 at 9:53 pm

    I am really grateful to the holder of this web site who has shared this wonderful piece of writing at here. Roxana Alick Heidi

  • erotik izle
    Reply November 15, 2020 at 3:56 pm

    This paragraph offers clear idea in favor of the new visitors of blogging, that in fact how to do blogging. Cherye Germaine Monica

  • sikis izle
    Reply November 15, 2020 at 5:51 pm

    I truly appreciate this post. Thanks Again. Really Cool. Linnet Abie Bullough

  • sikis izle
    Reply November 16, 2020 at 6:35 am

    Hi there! I just wish to give you a big thumbs up for your excellent info you have here on this post. I will be returning to your blog for more soon. Neile Evelin Samella

  • erotik
    Reply November 17, 2020 at 8:48 am

    Everything is very open with a clear description of the challenges. It was truly informative. Your website is very helpful. Thank you for sharing. Corette Pat Trainer

  • film
    Reply November 18, 2020 at 11:13 am

    I was reading through some of your articles on this website and I think this website is very instructive! Retain putting up. Philomena Kienan Sewell

  • xVCFEdUJ
    Reply November 20, 2020 at 9:01 pm


  • film
    Reply November 21, 2020 at 8:16 pm

    Some really quality articles on this web site , saved to bookmarks . Yasmeen Jerri Krawczyk

  • film
    Reply November 22, 2020 at 11:44 pm

    Hey, thanks for the blog article. Much thanks again. Fantastic. Marchelle Wally Brottman

  • film
    Reply November 23, 2020 at 1:02 pm

    You made a few good points there. I did a search on the issue and found the majority of folks will go along with with your blog. Ardella Dunc Thad

  • film
    Reply November 24, 2020 at 4:48 am

    Here is a great Blog You might Come across Interesting that we encourage you to visit. Vevay Lancelot Vivienne

  • film
    Reply November 26, 2020 at 4:23 pm

    Greetings! This is my 1st comment here so I just wanted to give a quick shout out and tell you I genuinely enjoy reading your posts. Neilla Bartlet Shore

  • film
    Reply November 28, 2020 at 6:35 pm

    Chicagoan Rachael Jimenez has gone on in bearing of dates without constantly leaving her couch. Timothea Alix Flanna

  • film
    Reply November 30, 2020 at 6:51 pm

    Pretty! This was an extremely wonderful post. Thank you for supplying this information. Leland Derward Selene

  • film
    Reply December 2, 2020 at 8:18 pm

    This paragraph will help the internet viewers for creating new webpage or even a blog from start to end. Fancie Garwin Fan

  • film
    Reply December 4, 2020 at 3:08 am

    Fastidious replies in return of this question with solid arguments and explaining the whole thing about that. Mirabella Jamey Kancler

  • film
    Reply December 4, 2020 at 3:15 pm

    This paragraph is genuinely a good one it assists new web people, who are wishing for blogging. Melany Innis Marcin

  • film
    Reply December 5, 2020 at 4:52 am

    This is one awesome article. Really looking forward to read more. Much obliged. Maribel Denys Parnas

  • AquihzaRWnX
    Reply December 7, 2020 at 8:29 am


  • erotik
    Reply December 8, 2020 at 9:28 am

    I enjoy the efforts you have put in this, regards for all the great posts. Luella Farleigh Kellda

Leave a Comment