Strengthening NIST 800-171, and specifically the enforcement of its requirements, the DoD released an Interim Final Rule that took effect on November 30, 2020. This Interim Final Rule specifies all contractors and subcontractors post a current assessment of their compliance with the 110 controls of NIST 800-171 into the DoD Supplier Performance Risk System (SPRS) as a prerequisite to submitting bids for new contracts or renewing existing contracts with the DoD.
The related NIST 800-171 provisions call for the submission of mandatory self-scoring (on a weighted 110-point scale), tracking in SPRS on the progress towards achieving a perfect score, and the possible submission of a System Security Plan (SSP) and Plans of Action with Milestones (POAMs) for any unmet requirements.
In 2023 it is expected that the Defense Contract Management Agency (DCMA) will be evaluating the information submitted by contractors on their compliance with NIST 800-171. The goal is to get a better understanding of whether the Defense Industrial Base (DIB) is meeting their contractual and legal requirements for handling CUI.