If you need to comply with the Defense Federal Acquisition Regulation Supplement 252.204-7012 (DFARS 252.204-7012), Controlled Unclassified Information (CUI) security requirements, or if you are part of the DoD supply chain and have a current contract in place you will need to follow the requirements in the new interim rule. Otherwise, your DoD contracts could be terminated.
One of the new requirements is to perform a NIST SP 800-171 self-assessment and submit the score with the completing date if you do not have 100% implementation as per the following clauses:
- DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
- DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
These clauses became effective on November 30, 2020. If you are behind on this, you will need to take immediate action.
How do I comply with these NIST SP 800-171 DoD requirements?
- Apply the security controls in NIST SP 800-171 following the framework guidelines
- Create a Plan of Action & Milestones to measure your implementation.
- Perform the NIST SP 800-171 DoD Self-Assessment to collect your score following the DoD self-assessment methodology
- Post your score in the Supplier Performance Risk System (SPRS)
This assessment needs to follow the standard scoring methodology provided by the DoD. It will help you to identify what security controls you still need to implement. This process will help you to mature your cybersecurity and prepare your way toward CMMC and handling CUI.
If you are not sure how to implement these requirements or if you do not know if they apply to your business, Impact Utah can help you to assess your situation and walk you through the process to implement the NIST SP800-171guidelines and help you to reach your CMMC level.