CMMC Interim Rule Includes New Compliance Requirements

By Hollie Kapos, Corporate Counsel

You never know what surprises will pop up in the last few days of the government’s fiscal year, and this year there was a big one with the Interim Rule implementing DOD’s Cybersecurity Maturity Model Certification (CMMC).

The Interim Rule (“IR”), published on September 29, 2020 and effective as of November 30, 2020, adds the widely anticipated new DFARS clause for inclusion in DOD contracts implementing CMMC: 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement). No surprise there.

But, the IR unexpectedly came with two additional clauses, DFARS 252.204-7019 (Notice of NIST SP 800-171 DOD Assessment Requirements) and DFARS 252.204-7020 (NIST SP 800-171 DOD Assessment Requirements), which require the immediate attention of federal contractors and their subs. 

Summary of the New Rules

  • DFARS 252.204-7019 (Notice of NIST SP 800-171 DOD Assessment Requirements). Under this clause, contractors required to comply with DFARS 252.204-7012 (safeguarding covered defense information and cyber incident reporting) must now complete a NIST 800-171 self-assessment and submit the scores to DOD through the Supplier Performance Risk System (SPRS). The self-assessment is a “Basic Assessment” and must be current (not older than three years) for the contractor to be considered for award.

The self-assessment methodology assigns a score to each of the 110 NIST 800-171 controls. If all 110 controls have been implemented, the contractor would have a score of 110. However, the scoring algorithm is not one-to-one; controls have different values and failure to implement a control yields a negative score for that control. It’s not clear at this time what scores are acceptable – the contracting officer is only required to determine whether a contractor has a current Assessment in SPRS.

Applicability to Subcontractors: While this clause does not contain a flow-down requirement, the requirements under this section effectively flow down to subcontractors under DFARS 252.204-7020.

  • DFARS 252.204-7020 (NIST SP 800-171 DOD Assessment Requirements). This clause outlines the process for Medium and High Assessments, which may be required and conducted by the government. It requires contractors to provide access to their facilities, systems and personnel as necessary for the government to conduct such Assessments. It also prohibits contractors from awarding subcontracts subject to 252.204-7012 unless the subcontractor has completed at least a Basic Assessment within the last three years.

Applicability to Subcontractors: Contractors are required to insert the substance of this clause in all subcontracts, excluding those solely for the acquisition of COTS items.

  • 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement). This clause implements the expected CMMC framework where contractors (other than those providing solely COTS items) must receive a third-party certification attesting to compliance with one of five specified cybersecurity levels and maintain that certification for the duration of their contracts.

Interestingly, the IR provides that, until October 1, 2025, a contracting officer must obtain approval from the Office of the Undersecretary of Defense for Acquisition and Sustainment to include this clause in a contract. Beginning on October 1, 2025, CMMC certification will be mandatory for all contracts over the micro-purchase threshold (currently $10K), excluding contracts solely for the acquisition of COTS.

Applicability to Subcontractors. Contractors must insert this clause in all subcontracts, excluding those solely for the acquisition of COTS, and ensure that the subcontractor has a current CMMC certification at the appropriate level for the information to be provided to the subcontractor. Presumably, this allows prime contractors to require only a level 1 in subcontracts that do not involve controlled unclassified information (CUI), even if the prime contract has a level 3 requirement. However, guidance has not yet been provided to prime contractors on how to determine what level is appropriate for subcontractors.

What Should Contractors and Subcontractors Do Now?

  • Determine whether you are currently required to comply with DFARS 252.204-7012. Confirm whether this clause is included in your contract(s) or subcontract(s) and, if so, whether the COTS exemption applies to you. Note: the recently awarded ITES-SW2 contract contains this clause.
  • If required to comply, start your Basic Assessment now. Beginning on November 30, 2020, a Basic Assessment reported in SPRS will be required for award of new contracts (including subcontracts) and option exercises.
  • Develop a plan for verifying whether your subcontractors have submitted a Basic Assessment in SPRS. Contractors will only have access to their own submissions.
  • Review the IR and consider submitting public comments, which are due November 30, 2020.


Keep on top of the latest trends in government IT. Subscribe to immixGroup’s Government Sales Insider blog now!

Are your cloud software offerings FedRAMP authorized? Don’t miss out on FY21 business. See how immixGroup can help you get there faster and at a lower cost.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: