The Department of Defense (DoD) acquisition policy implementing the CMMC (DFARS Case 2019-D041) became effective on December 1, 2020. The Defense Federal Acquisition Regulation Supplement-known as the DFARS-implements the CMMC requirement into Defense acquisition policy. The CMMC requirement will begin to appear in new Requests for Proposals (RFPs) and Requests for Information (RFIs), which may not reference the CMMC explicitly, but instead reference the DFARS clause at 252.204-7021. The -7021 clause is the CMMC clause.
DoD Assessment Methodology and Additional DFARS Clauses
DoD Assessment Methodology and Additional DFARS Clauses
The DFARS Case 2019-D041 introduced a NIST 800-171 assessment methodology and added two more clauses in addition to the CMMC clause. These two new clauses are approved for inclusion in all DoD contracts that contain the DFARS -7012 clause. The -7012 clause applies to all companies who process, transmit, store, or otherwise handle Controlled Unclassified Information (CUI), but is often found in contracts where companies do not need to handle CUI. The DoD Assessment Methodology is required to be used for the NIST 800-171 self assessment (see below for new DFARS clauses) as well as is used by DoD to conduct their own NIST 800-171 assessments of Defense contractors (see below for new DFARS clauses).
*New* -7019 Clause
*New* -7019 Clause
The -7019 clause added as part of the DFARS Case 2019-D041 has the following requirements:
- All companies who handle DoD CUI must complete a self-assessment using the DoD Assessment Methodology (see link above) and generate a score.
- Companies must then input that score and the date at which they plan to remediate all gaps to the Supplier Performance Risk System (SPRS). SPRS can be found here: https://www.sprs.csd.disa.mil/
At the time of contract award for a DoD contract containing the new -7019 clause, a DoD contracting officer will simply verify a score has been uploaded. At this time there is no baseline score requirement, which means that any score is sufficient to meet the -7019 clause requirement.
*New* -7020 Clause
*New* -7020 Clause
Along with the -7012 and -7019 clauses, this new clause is approved for inclusion in all DoD contracts. This new clause requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level Assessment. The higher level assessments are the Medium and High assessments. The self-assessment conducted as part of the -7019 clause is called a Basic Assessment.
- Medium Assessment: conducted by DoD personnel and will consist of a review of the system security plan (SSP) description of how each requirement is met to identify any descriptions which may not properly address the security requirements.
- High Assessment: conducted on-site by DoD personnel at a Defense contractor's location and leverages the full NIST 800-171A assessment methodology to determine if the implementation meets the requirements by reviewing appropriate evidence and/or demonstration (e.g., recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).
Controlled Unclassified Information
Controlled Unclassified Information
To enable a better understanding of CUI and serve as a learning aid, we have have created DODCUI.com. DOD CUI provides all things relating specifically to DOD CUI .
