1. Home
  2. |Insights
  3. |Buy 1 Get 2 Free Special on Cyber Regulations: DoD Interim Rule Unveils 3 New Clauses Geared at Cybersecurity Assessments

Buy 1 Get 2 Free Special on Cyber Regulations: DoD Interim Rule Unveils 3 New Clauses Geared at Cybersecurity Assessments

Client Alert | 1 min read | 09.29.20

The Department of Defense (DoD) has released its eagerly anticipated Interim Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement two major initiatives: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC). The Interim Rule introduces the related clauses DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements and DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; as well as the separate clause DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

-7019 requires contractors to have a current NIST SP 800-171 DoD Assessment in order to be considered for award, which may have been met where contractors have had a recent Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessment. Relatedly, -7020 requires contractors to provide the Government with access to their facilities and systems for higher-level Assessments, in addition to ensuring that subcontractors handling Covered Defense Information (CDI) have made their Assessments available to the Government.

-7021 implements the long-expected CMMC framework, where contractors must receive a third-party certification that they have met one of five specified cybersecurity levels – and maintain that certification for the duration of their contracts. The CMMC clause will begin appearing in select solicitations later this year, and eventually in all solicitations above the micro-purchase threshold by October 1, 2025, excluding those exclusively for commercially available off-the-shelf (COTS) items.

The Interim Rule goes into effect on November 30, 2020, with comments due the same day.

Contacts

Insights

Client Alert | 1 min read | 07.08.26

CAS Board Publishes Final Rule Rescinding CAS 404, 408, 409, and 4117

As part of its ongoing effort to conform the Cost Accounting Standards (“CAS”) to generally accepted accounting principles (“GAAP”), the CAS Board published a final rule rescinding CAS 408 (Accounting for costs of compensated personal absence) and CAS 411 (Accounting for acquisition costs of material).  The CAS Board also rescinded CAS 404 (Capitalization of tangible assets) and CAS 409 (Depreciation of tangible capital assets) but retained certain requirements of CAS 404 and 409, which will be located in new paragraphs of CAS 405 (Accounting for unallowable costs).  Specifically, the CAS Board retained the requirements currently located at CAS 404-50(d)(1), CAS 409-50(e)(5), CAS 409-50(j)(1), and CAS 409-50(j)(4), which the CAS Board explained are necessary to protect the Government’s interests.  Otherwise, the CAS Board determined that the requirements of CAS 404, 408, 409, and 411 overlapped with GAAP such that GAAP “may be applied reasonably as a substitute for CAS to support contract cost and pricing.”...