Close this search box.

DoD Releases New CMMC Score Requirements

Department of Defense officers working on IT technology projects.

New CMMC Interim Rule Requires NIST Score Requirements for Contracts

Since the unveiling of the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) compliance requirements in 2017, the Department of Defense (DoD) has been stymied by an inability to verify NIST 800-171 compliance among contractors. Between the self-attestation requirements, perpetual Plan of Actions and Milestones (POAMs) and no risk of audits, there has been very little incentive for DoD contractors to fully implement all 110 requirements of the compliance framework.

That all ended on November 30, 2020, with the unveiling of a new CMMC Interim Rule.

What is the CMMC Interim Rule?

The DoD is issuing an interim rule to amend the DFARS to implement a DoD Assessment Methodology and CMMC framework to assess the contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.

Under the new regulations, all contractors will be required to publish a score representing their NIST 800-171 compliance progress before they can receive a contract. In addition to the score, contractors must also publish a date by which all requirements will be implemented.

Breaking Down the Impact to NIST 800-171

The government will utilize a vendor report card system called the Supplier Performance Risk System (SPRS) to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”

The assessment referenced above refers to score that is created through a review of your NIST 800-171 implementation as described in your System Security Plan. What does this mean for you? You will need to have System Security Plan in place in order to perform this assessment.

“The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.” – NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4

Once you have received your score, you will need to submit it to the SPRS.

The CMMC Impact

CMMC is now on a 5 year roll out plan and after October 1st, 2025, all contractors will be required to meet CMMC compliance on all DoD solicitations and contracts. During this phase, your organization should be considering your current System Security Plan (SSP) and your POAMs. Partnering with a reputable 3rd party vendor can help to address your concerns and help understand the GAPS in your security and compliance plan. Corsica Technologies can help your organization understand the impact your security score might bring.

Our team of compliance experts are here to help. If you do not have the NIST framework in place or if your team needs help meeting your POAMs, schedule a call with one of our experts here or read more about how we help organizations with NIST 800-171.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

EDI Transactions and Document Types - Corsica Technologies

EDI Transactions: What It Takes To Win

EDI transactions are the lifeblood of processes like order placement, shipping, receiving, claims processing, and more. Across numerous industries, these transactions keep things moving in a way that no other technology can. In fact, you could say EDI solutions make

Read more
EDI 856 - Advance shipment notice - Corsica Technologies

EDI 856: Getting Your Advance Shipment Notices Right

Shipping and logistics get complicated when you have sensitive products and limited warehouse space. How do you ensure the warehouse is ready to receive a shipment—and ready to handle time-sensitive products appropriately? An EDI 856 document solves this problem. This

Read more
Cloud Data Integratoin: Power vs. ease of support - Corsica Technologies

Cloud Data Integration: Power vs Ease Of Support

It’s essential for cloud systems to talk to each other. If they don’t, data can become siloed, without widespread availability across the organization. But cloud systems introduce their own complexities that are different from on-premises systems. How do you choose

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.