The current requirements for cybersecurity, among others, include compliance with DFARS 252.204-7012, 252.204-7019, and 252.204-7020. This includes the requirement for an active NIST SP 800-171 assessment score posted in the Supplier Performance Risk System (SPRS).
Cybersecurity Maturity Model Certification (CMMC), under DFARS 252.204-7021, is currently not required on any DLA acquisitions. The CMMC DFARS clause is currently undergoing a rule-making process with the Office of the Secretary of Defense (OSD). Changes to CMMC requirements in the DFARS will be released through an interim rule via an official Federal Register announcement.
DLA is aware of the potential conflict between anticipated CMMC requirements and our user terms and conditions. DLA will work to resolve any conflicts once the CMMC requirements are finalized. In the meantime, suppliers are reminded that using a VPN/Proxy server to mask internet usage/access violates the DLA Internet Bid Board System (DIBBS) and Collaboration Folders (cFolders) terms and conditions resulting in access denial to DIBBS, cFolders, and the Enhanced Joint Certification Program (EJCP). To protect our supply chains, these terms and conditions are likely to continue until DLA implements multi-factor authentication.
To view an information briefing on accessing DIBBS, cFolders, and export control technical data, see link: Information Briefing on CAGE Code, DIBBS, cFolders, and EJCP Sept 21 . If suppliers are unable to access their account due to DIBBS terms and conditions (T&Cs) violations, they should contact the DIBBS T&Cs monitor at: (DIBBS_TC_Monitor@dla.mil). For cFolders violations, contact the data custodian at: DLAJ344DataCustodian@dla.mil. Please continue to monitor DIBBS Notices for future updates.