January 24, 2021

Volume XI, Number 24


January 22, 2021

Subscribe to Latest Legal News and Analysis

Updated Cybersecurity Assessment Requirements for Federal Contractors


On September 29, 2020, the US Department of Defense (DoD) released the highly anticipated interim rule (“Interim Rule”) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC). This new Interim Rule is effective November 30, 2020, in advance of promulgation of a future final rule. (DFARS Case 2019-D041; 85 FR 61505.)



The most significant change in the Interim Rule is the introduction of the new obligation for federal contractors to either self-certify or obtain a third-party assessment methodology to certify contractor compliance with cybersecurity requirements. (Click here for McDermott’s analysis.) Pursuant to the Interim Rule, beginning November 30, 2020, all contractors and subcontractors who accept contracts containing DFARS clause 252.204-7012 will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology for initial assessments, and update those assessments every three years.

This framework expands on existing requirements for federal contractors, as set forth by DFARS Clause 242.204-7012 and NIST Special Publication (SP) 800-171.


The NIST Assessment Methodology is designed to enable the federal government to assess its prime contractors and for the prime contractors to assess their subcontractors.

To qualify for new contract awards after the implementation date of the Interim Rule, contractors and subcontractors are required to have an assessment on record within the last three years (or more recently for certain contracts). (Interim Rule, 85 FR at 61506.)

The methodology provides for three types of assessments. (Assessment Methodology at 3-5.)

  • Basic. Basic Assessments are self-assessments performed by the contractor or the subcontractor against the 110 controls of NIST SP 800-171. A Basic Assessment provides only a minimum level of confidence in the resulting score because it is a self-assessment.

  • Medium. Medium Assessments are performed by DoD-trained personnel, who assess the contractor’s system security plan to determine how each requirement is met and identify any measures that may not properly address security requirements. These assessments provide a medium level of confidence in the resulting score.

  • High. High Assessments are performed by DoD-trained personnel using NIST SP 800-171A. The assessors review evidence and demonstrations of compliance with the 110 controls of NIST SP 800-171. On-site assessments are preferred, but the methodology allows for virtual assessment with the same methodology as the on-site assessment with added data protections. These assessments provide the highest confidence level in the resulting score.

All contractors (and applicable subcontractors) will be required to execute a self-assessment of compliance at the Basic Assessment level. The federal government will determine if an additional Medium or High Assessment will be necessary. The results of all applicable assessments are recorded in the Supplier Performance Risk System and are valid for up to three years.

All levels of NIST Assessment use the same scoring system. A score of 110 represents full implementation of the NIST SP 800-171 controls, regardless of the method of implementation. Deductions from 110 are made for each control not implemented at the time of the assessment, with weights assigned to different controls. (Assessment Methodology at 7; 48 CFR 252.204-7020 (85 FR 61521–22).)

Each assessment begins with the contractor’s System Security Plan(s) (SSP). The SSP is a document that defines the controls applicable to a system with a given boundary. A contractor may define one SSP for its entire technical environment or may define multiple SSPs if controls differ across segments of the environment. The multiple SSP approach allows a contractor to designate a specific technical environment for processing controlled unclassified information (CUI) and thus limits the scope of the assessment. The NIST Assessment methodology requires the existence of an SSP. Without an SSP, no assessment can proceed, even at the basic level.


Between November 30, 2020, and October 1, 2025, federal contracts will phase in requirements for CMMC certification in place of the NIST Assessment. By October 1, 2025, all applicable federal contractors and subcontractors will be required to have CMMC certification. (Interim Rule 85 FR at 61511.)

The Interim Rule also introduces DFARS subpart 204.75, which specifies the policy and procedures for awarding a contract requiring CMMC certification during the CMMC phase-in period. The CMMC certification process for contractors and assessors as CMMC Third-Party Assessment Organizations (C3PAO) are managed by the CMMC Accreditation Body (CMMC AB). There are five levels of CMMC certification, with level 3 aligning closely to the NIST SP 800-171 framework (full discussion here). The Interim Rule clarifies that for applicable contracts, CMMC certification must be provided at the time of the award. (Interim Rule 85 FR at 61406–7.) Further public comment has been requested on this timing, as the government contemplated requiring certification at the time of the proposal or after the award.


All new prime contractors and applicable subcontractors who contract under DFARS clause 252.204-7012 will need to be fully prepared to fulfill the Basic Assessment requirement as of November 30, 2020, to qualify for future contract awards.

The government may require Medium and/or High Assessments for any contract. Contractors should begin to prepare for the self-assessment process immediately, as remediation activities could result in significant time and costs in light of the more stringent requirements associated with higher levels of compliance. Current contractors involved in classified or sensitive contracting environments would be well served to ensure that an assessment team is in place, SSP(s) have been completed for every relevant environment and the team, including counsel, has a thorough understanding of the assessment requirements in preparing for future contract opportunities.

Federal contractors and subcontractors should continue to monitor the CMMC process and leverage the self-assessment process to prepare for their anticipated level of CMMC certification. Although CMMC certification is not required until the contract is awarded, just as with the self-assessments, remediation activities can be costly, and should not be allowed to delay acceptance of contract awards.

Contractors who are ready to be certified will have a competitive advantage for the growing number of CMMC-requiring contracts over the next five years.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 280



About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and...

James W. Kim Government Contract Attorney McDermott Will Emery Law Firm

James W. Kim represents clients in a wide variety of matters related to government contracting, with a particular focus on cases involving the healthcare industry.


James has successfully litigated bid protest actions before the Government Accountability Office as well as the US Court of Federal Claims. He also has experience representing government contractors in civil and criminal government fraud investigations involving the False Claims Act, the Procurement Integrity Act and the Anti-Kickback Act. In addition,...

202 756 8386
Mandy H. Kim, McDermott Will Emery Law firm, Intellectual Property Litigation

Mandy Kim is an associate with the law firm of McDermott Will & Emery LLP and is based in the Firm’s Orange County office.  She focuses her practice on intellectual property litigation.

Brian Long Associate | Dallas Corporate & Transactional  Global Privacy & Cybersecurity

Brian Long focuses his practice on transactional and corporate matters, with an emphasis on cybersecurity.

While in law school, Brian was lead articles editor for the SMU Law Review. Prior to attending law school, Brian worked for more than 20 years in the cybersecurity, information security and IT risk management sector.

Jessica McGahie Sawyer Global Data Protection Attorney McDermott Will & Emery Los Angeles, CA

Jessica (Jessi) McGahie Sawyer advises companies on global data protection laws, including privacy, cybersecurity risks, policies and incident responses, as well as data security obligations. She counsels clients on compliance with the EU General Data Protection Regulation (GDPR) and US consumer privacy statutes. She advises clients on matters relating to data localization laws, international data transfers, privacy notices and data subject rights, cryptocurrency, e-commerce security and blockchain applications.

Jessi also helps companies implement cybersecurity and data privacy...