• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
DoD Rulemaking Update and Impact on Defense Contractors

DoD Rulemaking Update and Impact on Defense Contractors

January 18, 2023 Posted by John Bermingham CMMC, Cybersecurity, IT Security

DoD released its long-awaited Rulemaking Agenda for CMMC 2.0 last week. The update indicates that the rule is now slated to be published in May 2023, not March 2023, as previously anticipated. The release additionally revealed that DoD will not publish an Interim Final Rule at that time. This means that DoD will publish a Proposed Rule in the Federal Register that will be open for public comment, typically for a period of 60 days. As such, the actual timeline for DoD to issue a Final Rule can vary significantly. How long will largely depend on the number of public comments submitted and how long it takes DoD to address them. While it is difficult to predict exactly when DoD will publish the Final Rule, it could be as late as mid-2024.

What this means to defense contractors and companies pursuing work with DoD:

  • The requirement to undergo third-party assessments based on NIST 800-171 will coincide with the date of the Final Rule
  • Requirements set forth in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems are unchanged
  • Requirements set forth in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting are unchanged
  • Requirements set forth in DFARS 252-204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements are unchanged
  • Requirements set forth in DFARS 252-204-7020, NIST SP 800-171 DoD Assessment Requirements are unchanged

Keeping track of the changing CMMC landscape can be difficult, though, this change does not impact cybersecurity practices that DoD requires of current defense contractors or prospective defense contractors. The following requirements still apply to contactors with the aforementioned DFARS clauses in their contracts:

  • Must have completed a Self-Assessment against NIST 800-171
  • Must have a written System Security Plan (SSP)
  • Must have a Plan of Actions and Milestones (POA&M)
  • Must provide a final completion date for all POA&Ms
  • Must have a calculated DoD Assessment Score
  • Must have submitted the above information into the DoD Supplier Performance Risk System (SPRS)

It is important to note that the above requirements must be maintained over time and be reevaluated at least annually. For example, the SSP and POA&M must reflect changes to the system or the operating environment. In addition, changes to the system can result in new POA&Ms that need to be managed. As POAMs are mitigated, new scores should be calculated and updated in SPRS. Unfortunately, we are aware of cases in which companies had met all the basic requirements, only to learn a couple of years later that their compliance program no longer represented their system.

Assurance is not limited to SPRS. Prime contractors and two newly minted DFARS clauses are a sure sign that using external sources to assure compliance with NIST 800-171 is not going away. We have seen a significant increase in prime contractors levying NIST 800-171 requirements in new contracts and requiring their existing subcontractors to demonstrate compliance with the standard. This includes requests for the following evidence:

  • Questionnaires
  • DoD Assessment Score
  • Open POA&Ms
  • System Security Plan

In 2022, two new DFARS clauses gave further credence to the forward momentum of CMMC-destined requirements, and the department’s resolute position on protecting Controlled Unclassified Information (CUI). The clauses have already begun to appear in prime contracts and have flowed down to subcontracts.

The first, DFARS 252-204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements; requires offerors to implement DFARS 252.204-7012, before being “considered” for award.

The second clause is DFARS 252-204-7020, NIST SP 800-171 DoD Assessment Requirements. Paragraph (c) requires contractors to provide access to their facilities, systems and personnel that are necessary for the government to conduct medium or high assessments as described in the NIST 800-171 DoD Assessment Methodology.

One can only conclude that DoD’s decision to postpone publication of a Final Rule does not signal a change of trajectory regarding current NIST 800-171 compliance, nor does it indicate a change to assured compliance using external resources. Rather, downward pressure by DoD and prime contractors, coupled with these new clauses clearly signify that compliance with NIST 800-171 will continue and external resources will assure compliance.

Finally, when considering what course of action or next steps to take, we recommend staying the course. It is critical that defense contractors continue progress towards achieving a maximum DoD Assessment Score of 110. This means continuing to develop or improve their current CMMC-based compliance program by working on and closing open POA&Ms, which will help produce a favorable assessment outcome.

Tags: CMMC Certificationcybersecurity
Share
0
John Bermingham

About John Bermingham

John Bermingham is Director of Government Services at OCD Tech. John has over 25 years of information assurance experience performing IT audits, risk assessments, and cybersecurity threat and vulnerability analysis on systems ranging from Unclassified, Controlled Unclassified Information (CUI), to Top Secret/SCI. Over his career John has consulted for or worked with scores of organizations across government agencies, Federally Funded Research and Development Centers (FFRDCs), prime defense contractors, subcontractors, and commercial companies.

You also might be interested in

OCD TECH. HOW TO SECURE A MICROSOFT SQL SERVER?

How to secure a Microsoft SQL Server?

Jan 13, 2023

There are many ways to secure a Microsoft SQL Server,[...]

Cybersecurity Maturity Model Certification (CMMC)

Apr 28, 2020

Does your organizaton currently hold DoD contracts including the DFARS 252.204-7012 clause?

The Hidden Costs of Not Having SOC 2® Compliance

The Hidden Costs of Not Having SOC 2 Compliance

Mar 6, 2025

Data security is a top concern for businesses handling sensitive[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next