DOD Issues Interim Final Rule Assessing Contractor Implementation of Cybersecurity Requirements

On September 29, 2020, the Defense Acquisition Regulations System issued an interim final rule to implement the DoD’s Cybersecurity Maturity Model Certification. The interim final rule seeks to assess contractor implementation of cybersecurity procedures requirements to further strengthen protection of classified materials throughout the supply chain. The rule allows for a five-year phase-in with different levels of certification requirements for DOD contracts. Additionally, the rule requires some contractors who want medium- or high-level work to open themselves up to a DOD review.

The new rule also requires that contractors undergo a third-party audit. The rule is written in such a way that most of the auditing will be done by third parties, but some might be done by the Cybersecurity Maturity Model Certification Audit Board itself.

Comments on the interim final rule are due November 30, 2020.

  • Read the Federal Register notice here.
  • Submit comments here.

Advocacy Contact: Major Clark III