Interim Rule Solidifies Cybersecurity Requirements for Defense Industrial Base

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.

The interim rule has an immediate effect for DoD contractors and subcontractors that are already required to comply with the security controls in NIST SP 800-171, as it institutes a new assessment and reporting system to verify compliance prior to contract award. With respect to the CMMC, the interim rule largely is consistent with what DoD previously has shared (see our articles here and here for more information). CMMC requirements may be included in solicitations and contracts through September 30, 2025 only where approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. On or after October 1, 2025, CMMC will apply to all DoD solicitations and contracts (with very limited exceptions, including procurements solely for commercially available off-the-shelf items).

Putting it Into Practice. This rule has immediate implications for all companies that do business with DoD (either directly or indirectly). DoD contractors (and subcontractors) need to assess what type(s) of information they have as well as which assessment(s) will apply to them. Companies outside of the Defense Industrial Base can benefit from following closely what DoD is doing as it is expected other government agencies and regulators will adopt the same or a similar approach for cybersecurity in the near future.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.