NIST 800-171 110 Security Requirements Implementation
Companies must implement the 110 security requirements of NIST 800-171, or document in a System Security Plan and Plans of Action for those requirements that are not yet implemented and must provide a date when the requirements will be implemented (DFARS 252.204-7012).
NIST SP 800-171 DoD Assessment Methodology rev 1.2.1 is Documented
NIST SP 800-171 DoD Assessment Methodology rev 1.2.1, documents the standard methodology enabling a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.
Supplier Performance Risk System (SPRS) Assessments
DoD announces the deployment of a cyber assessment capability module in the Supplier Performance Risk System (SPRS) to support National Institute of Standards and Technology (NIST) Special Publication SP 800-171 compliance (https://www.sprs.csd.disa.mil/). With this deployment, authorized representatives of the contractor are able to enter results for
self-assessments in SPRS via the Procurement Integrated Enterprise Environment (PIEE) https://piee.eb.mil/piee-landing/.
Contract Award Eligibility Required Through NIST Assessments
Companies are required to implement the NIST SP 800-171 standard and to have a current (<3 years) NIST SP 800-171 DoD Assessment on record in order to be considered for contract award. The provision requires companies to ensure the results of any applicable current Assessments are posted in the Supplier Performance Risk System (DFARS 252.204-7019).
DoD Solicitations Phased in 5-Year Time Period
Until October 1, 2025:
Inclusion of CMMC requirements in all DoD solicitations is phased in over a 5 year time period. The contracts that will incorporate CMMC requirements are determined by the DoD’s Under Secretary of Defense for Acquisition and Sustainment.
CMMC Level Identification Required by DOD Customers
After October 1, 2025:
All entities receiving DoD contracts and orders, other than commercial off the shelf (COTS) products, will be required to have the CMMC Level identified in the solicitation, and at a minimum will require a CMMC Level 1 certification.