How will CMMC and DAM data be used by the Department of Defence for Contract awards?
With all intents and purposes the Interim Final Ruling published by the Department of Defence on the 29th of September 2020 will become affective on the 30th November 2020. Requiring that contractors and subcontractors input their assessment of NIST SP 800 – 171 compliance and ultimately their CMMC certificates into the DoDs Supplier Performance Risk System (SPRS). Not previously required under DFARS 252.204 – 7012. A requirement which will be formalised under a new DFARS subpart 204.73 and set out in new DFARS clauses 252.204 – 7019 and 252.204 – 7020. Requiring contractors to have have a current NIST SP 800 – 1717 assessment and to ensure that applicable subcontractors also have results of a current assessment posted in the SPRS system prior to awarding a subcontract.
The DoD has recently made a few updates, albeit quietly, to outline its intended use of results for the DoDs Assessment Methodology (DAM) and contractors and subcontractors results input into its SPRS system. It recently updated Frequently Asked Questions which apply to contractors cybersecurity requirements. Stating that DAM results input into SPRS were to be “an objective assessment of a contractors NIST 800 – 171 implementation status”. The DoD also published a proposed rule in August 2020, expanding the use of SPRS, requiring Contracting Officers to use the results from SPRS as a factor in reducing supply chain risk.
Along side other recent supply chain rules there is a concerted effort by Federal Government and the DoD to improve supply chain security. On one side to protect intellectual property (IP) and on another to put in place the necessary enforcement actions for those products and services which put that at risk.
Article published by Covington Law