Companies must implement the 110 security requirements of NIST 800-171, or document in a System Security Plan and Plans of Action for those requirements that are not yet implemented and must provide a date when the requirements will be implemented (DFARS 252.204-7012).

NIST SP 800-171 DoD Assessment Methodology rev 1.2.1, documents the standard methodology enabling a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.

DoD announces the deployment of a cyber assessment capability module in the Supplier Performance Risk System (SPRS) to support National Institute of Standards and Technology (NIST) Special Publication SP 800-171 compliance (https://www.sprs.csd.disa.mil/). With this deployment, authorized representatives of the contractor are able to enter results for
self-assessments in SPRS via the Procurement Integrated Enterprise Environment (PIEE) https://piee.eb.mil/piee-landing/.

Companies are required to implement the NIST SP 800-171 standard and to have a current (<3 years) NIST SP 800-171 DoD Assessment on record in order to be considered for contract award. The provision requires companies to ensure the results of any applicable current Assessments are posted in the Supplier Performance Risk System (DFARS 252.204-7019).

Until October 1, 2025:

Inclusion of CMMC requirements in all DoD solicitations is phased in over a 5 year time period.  The contracts that will incorporate CMMC requirements are determined by the DoD’s Under Secretary of Defense for Acquisition and Sustainment.