(a)

(1) Contractors and subcontractors are required to provide adequate security on all covered contractor information systems.

(2) Contractors required to implement NIST SP 800-171, in accordance with the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber incident Reporting, are required at time of award to have at least a Basic NIST SP 800-171 DoD Assessment that is current (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7019).

(3) The NIST SP 800-171 DoD Assessment Methodology is located at https://www.acq.osd.mil/dpap/pdi/cyber/strategically__assessing__contractor__implementation__of__NIST__SP__800-171.html.

(4) High NIST SP 800-171 DoD Assessments will be conducted by Government personnel using NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.”

(5) The NIST SP 800-171 DoD Assessment will not duplicate efforts from any other DoD assessment or the Cybersecurity Maturity Model Certification (CMMC) (see subpart 204.75), except for rare circumstances when a re-assessment may be necessary, such as, but not limited to, when cybersecurity risks, threats, or awareness have changed, requiring a re-assessment to ensure current compliance.

*   *   *   *   *

Need assistance?