Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Understanding the requirements for compliance with the interim DFARS rule on basic assessment and compliance with Cybersecurity Maturity Model Certification (CMMC) is not a task for the faint of heart. The rule requires that you accurately report the status of your compliance with the cybersecurity requirements in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and, for specific procurements in the initial CMMC pilot program and moving forward, that you address your level of compliance under the CMMC program.  Preparation here is crucial as the Department of Defense (DoD) has announced that all contractors, except those solely furnishing Commercial Off-The-Shelf (COTS), must submit their basic compliance assessment into the Supplier Performance Risk System (SPRS) to be considered for future contract awards.

To address some of the more pressing questions posed by the roll out of the DFARS rule, NDIA hosted a tabletop exercise addressing the rule’s solicitation and contract performance requirements. My NDIA Cyber Legal Policy Co-Chair Rolando Sanchez and I co-wrote the following article on the results of that tabletop webinar and some lessons learned, which was published in the June 2, 2021 National Defense Magazine:

Addressing Solicitation, Contract Performance After CMMC (

This article is publicized here with the permission of the NDIA Defense Magazine.

Stay tuned for more on the new and emerging cybersecurity requirements.  Given the recent Executive Order issued in the wake of the Colonial Pipeline cyber incident, we can expect to see more new, as well as revised, rules and recommendations rolling out.