Governance Briefing — DoD issues DFARS interim rule to roll out CMMC assessments

Executive briefing: The interim rule (DFARS Case 2019-D041) adds clauses 252.204-7019 through -7021 requiring contractors to complete NIST SP 800-171 Basic/Medium/High assessments in SPRS and to obtain CMMC certification at the level specified in solicitations, with phased implementation through 2025.^{85 FR 61505; DFARS 252.204-7021}

Programme steps

• Submit assessments. Perform and upload the required NIST SP 800-171 DoD Assessment scores to SPRS before responding to covered solicitations as mandated by DFARS 252.204-7019.
• Plan for certification. Identify target CMMC levels per contract types, engage a C3PAO for assessments, and update SSPs/POAMs to close control gaps.
• Flow down requirements. Ensure subcontract agreements incorporate the new DFARS clauses and verification that subs meet required assessment or certification levels.

Sources

• Federal Register interim rule (85 FR 61505)
• DoD CMMC FAQ (September 2020)

Related briefings

Curated signals from the same pillar or overlapping topics.

Governance · Credibility 40/100 · January 31, 2020

DoD releases Cybersecurity Maturity Model Certification (CMMC) Version 1.0

The U.S. Department of Defense published CMMC Version 1.0, setting five security maturity levels and third-party certification requirements for defense contractors.

Governance · Credibility 45/100 · February 20, 2020

Governance Briefing — NIST publishes SP 800-171 Revision 2

NIST issued Special Publication 800-171 Revision 2, keeping the existing 110 security controls for protecting Controlled Unclassified Information while setting the stage for assessment procedures. Defense and federal…

Governance · Credibility 40/100 · January 31, 2020

Governance Briefing — DoD releases CMMC Version 1.0 for defense contractors

On 31 January 2020 the U.S. Department of Defense published Cybersecurity Maturity Model Certification (CMMC) Version 1.0, setting a five-tier certification path that contractors must meet to handle controlled…

Governance · Credibility 45/100 · May 10, 2023

Governance Briefing — NIST releases SP 800-171 Revision 3 draft

NIST issued the initial public draft of SP 800-171 Rev. 3 on 10 May 2023, aligning controlled unclassified information safeguards with SP 800-53 Rev. 5 and CUI program updates.

Governance · Credibility 45/100 · September 29, 2020

Governance Briefing — NIST publishes SP 800-207 Zero Trust Architecture guidance

NIST released Special Publication 800-207 on 29 September 2020, formalizing zero trust architecture tenets and deployment patterns for federal and enterprise networks.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Public-Sector Governance Alignment Playbook — Zeph Tech

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

• Third-Party Governance Control Blueprint — Zeph Tech

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Governance, Risk, and Oversight Playbook — Zeph Tech

  Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…