If you are a US Department of Defense (“DoD”) contractor who expects to handle Controlled Unclassified Information (“CUI”) on an upcoming contract, DoD’s DFARS 252.204-7019 (the “-7019 rule”) requires that you perform a self-assessment of your cybersecurity program using NIST SP 800-171 (but be sure you are using the assessment criteria defined in NIST SP 800-171A!) and assign your organization a score using the scoring system outlined in DoD’s assessment methodology (the score will be somewhere between -203 and 110 points). Today, that score must then be submitted to DoD’s Supplier Performance Risk System (“SPRS”) so contracting officers can make sure you meet this requirement.
DoD recognizes that many contractors are still trying to get their arms around cybersecurity, that is why, when DoD introduced the -7019 rule in 2021, the only requirement was that contractors submit an (honest, fact-based) score to SPRS. They wanted to make sure contractors were doing the analysis that was previously required under DFARS 252.204-7012 and to signal to contractors’ management that it was time to take cybersecurity more seriously. Under the -7019 rule, the actual score was not given any weight during acquisition.
Under a new rule proposed by DoD (DFARS case 2019-D009), the information in SPRS, which also includes other supplier (i.e., contractor) risk information, will be considered along with price when evaluating proposals. As of yet, we have not seen additional details about exactly how this will be rolled out to contractors, but it obviously could have significant impacts on many contractors who have held off implementing CMMC/NIST SP 800-171 requirements. As we learn more, we will publish additional articles. Be sure to subscribe to our newsletter to stay informed!
Regardless of how it is rolled out, it is clearly in the best interest of all contractors who handle CUI to not only conduct their self-assessment and submit their score, but also to start remediating any gaps and push (quickly) toward the 110 point score.
If you have not conducted a self-assessment, or if you are trying to track individual actions that need to be addressed, our free NIST SP 800-117A/CMMC self-assessment tool can help.