A new U.S. Department of Defense rule goes into effect later this month that will require DoD contractors and subcontractors to complete a cybersecurity self-assessment.

The rule, technically an interim rule, amends the Defense Federal Acquisition Regulation Supplement, or DFARS, by requiring the implementation of a DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC) framework to ensure unclassified information within the DoD supply chain is protected.

Beginning November 30, prime contractors and subcontractors will need to complete an assessment before receiving new DoD contracts and before to the exercise of new options under existing DoD contracts.

Currently, DoD contracts, under DFARS clause 252.204-7012 - aka Safeguarding Covered Defense Information and Cyber Incident Reporting - are required implement the 110 security controls set forth in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 on any information system that processes, stores, or transmits Controlled Unclassified Information.

The new rule, which will be imposed through new DoD solicitations of DFARS clause 252.204-7019, creates a new NIST SP 800-171 Assessment requirement for any DoD procurements awarded on or after November 30 that ordinarily exceed $10,000. Offerors will need an assessment carried out within three years of the contract award.

The CMMC, which builds on the NIST SP 800-171 DoD Assessment Methodology, is in year one of a five-year rollout - it released Version 1.0 in January.

The CMMC framework will eventually apply to all DoD contractors, subcontractors, and suppliers. As part of the framework, cybersecurity assessments will be performed by third party assessment organizations. The Office of the Secretary of Defense staff is coordinating with the Military Services and Department Agencies to identify candidate contracts during the first five years of implementation that will include the CMMC requirement in the statement of work.

“By October 1, 2025, all entities receiving DoD contracts and orders, other than contracts or orders exclusively for commercially available off-the-shelf items or those valued at or below the micro-purchase threshold, will be required to have the CMMC Level identified in the solicitation,” the Federal Register notes.

A Federal Register summary of the rule cites the dangers associated with intellectual property theft - something that could lead to an estimated $570 billion to $1.09 trillion dollars in losses - as an impetus for the DoD's ongoing work in this area.

"The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security. This rule is expected to enhance the protection of FCI and CUI within the DIB sector."

Until the CMMC requirements are rolled out fully and apply to all contracts, contractors will have to comply with the new NIST SP 800-171 Assessments requirements at the end of this month.

Contractors looking to learn more about the interim rule, including expected cost impact and benefits should check the Federal Register page.