On the 29th of September 2020 the US Department of Defence (DoD) released its Interim Final Ruling (ruling) for DFARS Case D041, effective 30th November 2020. Improving the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the DoDs Defence Industry Base (DIB) and closing gaps in the oversight and assurance of FAR 52.204 – 21 and DFARS 252.204 – 7012. Where applicable DFARS 252.204 – 7012 specifically requires contractors and subcontractors who supply the DoD to apply appropriate levels of protection to safeguard covered defence information, applying NIST SP 800 – 171. However failures in its deployment, oversight and assurance were identified following cyber attacks and data thefts from the DoDs Defence Industry Base (DIB), since its inception at the end of 2017. Resulting in DFARS case D041 and this ruling.
The ruling creates a 2 part approach, applying the DoD NIST SP 800 – 1717 Assessment Methodology (DAM) to the 110 NIST SP 800 – 171 practices required in DFARS 252.204 – 7012 and CMMC certification applied to selected contracts starting in 2021 through to full deployment by October 2025. In both cases contractors and subcontractors will have to submit assessment results and certifications to the DoDs Supplier Performance Risk System (SPRS), before new contracts can be awarded.
This paper examines the ruling and the associated Regulatory Impact Analysis (RIA). Highlighting the impact of the regulatory changes to contractors and subcontractors, and importantly the significant implications of the ruling to the international Defence Industry Base (DIB).
CMMC CMMC and NIST CMMC implementation CMMC Implementation CMMC strategy Cyber Legal Cyber regulation and compliance Defence Industry Base (DIB) Geopolitical cyber International CMMC