The Next Step Toward Cybersecurity Compliance for Defense Contractors

On January 31, 2020, the Department of Defense (DoD) released the greatly anticipated Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) marking another step toward the DoD’s goal of enhancing the protection of sensitive information within the supply chain throughout the Defense Industrial Base (DIB).  Designed to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), the CMMC takes a bold step toward cybersecurity compliance for defense contractors.

  1. Five Compliance Levels

The CMMC defines five levels, each with a set of supporting practices and processes.  The levels range from the lowest, Level 1 (basic cyber hygiene) to a maximum of Level 5 (advanced/progressive).  In order to meet a specific level, a defense contractor must meet the practices and processes within that level and all the levels below. The more cybersecurity practices and processes are implemented and embedded across an organization, the more mature the organization is considered. The CMMC model consists of 17 Capability Domains, the majority of which originated from the Federal Information Processing Standards (FIPS) 200 security related standards and the National Institute of Science and Technology’s (NIST) SP 800-171 controls.  Level 1 only addresses practices from FAR Clause 52.204-21.  Level 3 (good cyber hygiene) includes all the practices from NIST SP 800-171 Rev.1, and others.  Levels 4 and 5 (proactive and advanced/progressive) incorporate practices from draft NIST SP 800-171B and others.  Additional sources were also considered and are referenced in the model.

  1. Pass/Fail

Government solicitations will have the required CMMC level incorporated in Requests for Proposals (RFPs) and Requests for Information (RFIs) upon release and will act as a “pass/fail” filter based on the level of the bidding contractor’s cybersecurity certification.  Contractors will be required to meet the designated level at time of contract award.  Prime contractors must flow down the appropriate level to subcontractors.  All contractors, including subcontractors, will be required to meet Level 1 unless a higher level is specified in the solicitation.  According to the DoD, Phase 1 of the CMMC model only applies to contractor networks, not their products. DoD is not requiring CMMC compliance on existing contracts but on solicitations moving forward.

  1. Third Party Certifications

Importantly, the CMMC model requires all companies doing business with the DoD to be certified, regardless of whether they handle CUI. This casts a wider net than the DFARS clause 252.204-7012 standard. The model relies on independent third-party auditing organizations to certify contractor compliance with the possibility of DoD assessors such as the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA) performing some higher-level assessments. Although not intended for classified systems, according to DoD, the DCSA will include CMMC assessments as part of their holistic security rating score. The DoD has established a CMMC accreditation body to operate the certification program and oversee training and certification of the third-party assessors. The CMMC model allows a DIB contractor to achieve a specific level across the entire enterprise network or for a particular segment or enclave, depending upon where protected information is handled and stored.

  1. Program Roll-Out/Allowable Costs

The DIB can expect to start seeing the CMMC requirements as part of RFIs by June 2020, with requirements appearing in DoD RFPs by autumn of 2020.  Based on recent announcements, DoD anticipates on issuing a small number of  solicitations with CMMC requirements this autumn which will likely require varied CMMC Levels, including a small number requiring higher level certifications. DoD has stated that cybersecurity will be an “allowable cost” in certain contracts; a recognition by DoD of the importance of cybersecurity and the government’s willingness to pay for it to ensure compliant contractors. With the heightened enforcement of cybersecurity standards looming, and the possibility disqualification of non-compliant bidders on government solicitations, government contractors should waste no time in moving forward to achieve compliance.