Keeping government information secure from unwanted eyes is critical to our national security. Yet companies that process sensitive government data (whether directly or as a sub-contractor in the supply chain) have only been required to “self-attest” to their conformance with relevant DFARS/NIST SP 800-171 guidance… until now.
The self-attestation approach has not worked very well, as evidenced by notable breaches of critical government information. This has driven the U.S. Department of Defense (DOD) and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Leading up to the release of the CMMC certification, the DoD decided to add a new DFARS Interim Rule (DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements) that took effect on November 30, 2020. This clause states that government contractors and their subs will need to have a current assessment score representing their NIST SP 800-171 progress published within the Suppliers Performance Risk System (SPRS) before award of contract.