Whether a direct contractor or a small sub-contractor, any manufacturer needs to be aware of new U.S. Department of Defense cybersecurity requirements. The new DoD rule went into effect in November of 2020 and will require DoD contractors and subcontractors to complete a cybersecurity self-assessment.
The rule is an interim rule. It amends the Defense Federal Acquisition Regulation Supplement, or DFARS, by requiring the implementation of a DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC) framework to ensure unclassified information within the DoD supply chain is protected.
Beginning November 30, prime contractors and subcontractors will need to complete an assessment before receiving new DoD contracts and before the exercise of new options under existing DoD contracts.
Currently, DoD contracts, under DFARS clause 252.204-7012 are required to implement the 110 security controls outlined in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 on any information system that processes, stores, or transmits Controlled Unclassified Information.
The new rule creates an assessment requirement for any DoD procurements awarded on or after November 30 that exceed $10,000.
The CMMC, which builds on the NIST SP 800-171 DoD Assessment Methodology, is in year one of a five-year rollout.
The CMMC assessment requirement will eventually apply to all DoD contractors, subcontractors, and suppliers. As part of the framework, cybersecurity assessments will be performed by third-party assessment organizations.
A Federal Register summary talks about the dangers and damages associated with intellectual property theft, citing that it can lead to an estimated $570 billion to $1.09 trillion in losses.
“The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase the risk to national security. This rule is expected to enhance the protection of FCI and CUI within the DIB sector.”
Until the CMMC requirements are rolled out thoroughly and apply to all contracts, contractors will have to comply with the new NIST SP 800-171 assessments requirements as of November 30.
This New DoD Requirement is Sparking M&A Activity
Small DoD contractors and sub-contractors may have trouble with the cost of implementing these new requirements and will lose business if they can’t comply. If you find yourself in that situation, a merger with a larger company may be the answer you need. We’ve already sold smaller DoD contractors to larger organizations to ensure they could continue with their DoD work. Learn what your options are. Merging with a larger entity can help you fulfill these new DoD requirements and solve other growth impediments at the same time.