Tag: National Institute of Standards and Technology

Time for Compliance with DOD’s Cybersecurity Regulations is NOW

Michael Joseph Montalbano and Samarth Barot 

On February 19, 2024, the Department of Justice (“DOJ”) notified the U.S. District Court for the Northern District of Georgia that it would intervene in a False Claims Act (“FCA”) case filed against Georgia Tech Research Corporation and Georgia Institute of Technology (collectively “Georgia Tech”) for not complying with the requirements of DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 (“NIST 800-171”).

All Department of Defense (“DOD”) solicitations and contracts contain DFARS clause 252.204-7012. DFARS 252.204-7012 requires a contractor to assess its compliance with 110 cybersecurity controls set out in the NIST 800-171 if the Company has controlled unclassified information. Specifically, pursuant to DFARS 252.204-7012, contractors must implement all of the NIST 800-171 requirements and upload the results of that assessment to the Department of Defense’s Supplier Performance Risk System (“SPRS”), or have a plan of action and milestones in place for any requirement the contractor has not yet implemented.

Continue reading “Time for Compliance with DOD’s Cybersecurity Regulations is NOW”

New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements

Robyn N. Burrows and Michael J. Montalbano

On September 29, 2020, the Department of Defense (“DoD”) issued a long-awaited, interim rule to strengthen cybersecurity protections throughout the Defense Industrial Base. The new rule establishes how DoD will assess contractors under current cybersecurity regulations set out by the National Institute of Standards and Technology Special Publication 800-171 (“NIST Requirements”) and the newly established Cybersecurity Maturity Model Certification (“CMMC”) program. The interim rule goes into effect on November 30, 2020; although, as we have discussed in earlier posts, DoD will gradually roll out the CMMC over the next five years.

NIST Self-Assessment Requirements

The first part of the new rule applies to contracts that incorporate DFARS 252.204-7012, which requires contractors and subcontractors that have access to covered defense information to comply with the NIST Requirements. Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date. Continue reading “New Department of Defense Regulations Clarify Contractors’ Responsibilities to Comply with NIST SP 800-171 and CMMC Requirements”

Exit mobile version
%%footer%%