DoD Releases New CMMC Score Requirements

Department of Defense officers working on IT technology projects.
Department of Defense officers working on IT technology projects.

New CMMC Interim Rule Requires NIST Score Requirements for Contracts

Since the unveiling of the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) compliance requirements in 2017, the Department of Defense (DoD) has been stymied by an inability to verify NIST 800-171 compliance among contractors. Between the self-attestation requirements, perpetual Plan of Actions and Milestones (POAMs) and no risk of audits, there has been very little incentive for DoD contractors to fully implement all 110 requirements of the compliance framework.

That all ended on November 30, 2020, with the unveiling of a new CMMC Interim Rule.

What is the CMMC Interim Rule?

The DoD is issuing an interim rule to amend the DFARS to implement a DoD Assessment Methodology and CMMC framework to assess the contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.

Under the new regulations, all contractors will be required to publish a score representing their NIST 800-171 compliance progress before they can receive a contract. In addition to the score, contractors must also publish a date by which all requirements will be implemented.

Breaking Down the Impact to NIST 800-171

The government will utilize a vendor report card system called the Supplier Performance Risk System (SPRS) to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”

The assessment referenced above refers to score that is created through a review of your NIST 800-171 implementation as described in your System Security Plan. What does this mean for you? You will need to have System Security Plan in place in order to perform this assessment.

“The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.” – NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4

Once you have received your score, you will need to submit it to the SPRS.

The CMMC Impact

CMMC is now on a 5 year roll out plan and after October 1st, 2025, all contractors will be required to meet CMMC compliance on all DoD solicitations and contracts. During this phase, your organization should be considering your current System Security Plan (SSP) and your POAMs. Partnering with a reputable 3rd party vendor can help to address your concerns and help understand the GAPS in your security and compliance plan. Corsica Technologies can help your organization understand the impact your security score might bring.

Our team of compliance experts are here to help. If you do not have the NIST framework in place or if your team needs help meeting your POAMs, schedule a call with one of our experts here or read more about how we help organizations with NIST 800-171.

Corsica Technologies
Corsica Technologies is a strategic technology partner specializing in consulting and managed services. With an integrated team of experts in cybersecurity, IT services, AI solutions, digital transformation, EDI, and data integration, Corsica offers comprehensive coverage and unlimited service consumption for one predictable monthly price—whether fully managed or co-managed.

Related Cybersecurity and IT Reads

Penetration Testing Services - Corsica Technologies
Cybersecurity
Ross Filipek

Penetration Testing Services 101

Originally published March 6, 2025. Completely refreshed July 1, 2026. Are you easy to hack? That’s the uncomfortable question every organization should be able to answer—and most can’t. You’ve invested in firewalls, endpoint protection, and maybe a SOC. But do

Read more
Azure cost optimization - Corsica Technologies
Cloud Technology
John Joyner

Azure Cost Optimization: Tools, Best Practices, and More

Microsoft Azure offers incredible benefits for businesses, but it’s not automatically cost-optimized for every organization in every use case. In fact, businesses should perform cost optimization regularly to ensure that their usage of Azure is both financially efficient and aligned

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.

Ready to talk to an expert?

We’ll respond within 1 business day, or you can grab time on our calendar.