With the federal government’s first False Claims Act case based on cybersecurity regulations from the Department of Defense (DoD) and NASA making its way through the courts, (United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.) and the continuing issues surrounding the implementation of the 2016 amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) designed to safeguard controlled unclassified information, defense contractors are facing a new challenge — the recently unveiled Cybersecurity Maturity Model Certification (CMMC). The CMMC is an enforcement mechanism recently introduced by the Department of Defense (DoD) and is intended to secure the supply chain throughout the defense industry. Defense contractors by now should be familiar with DFARS clause 252.204-7012, which requires contractors that handle covered defense information (CDI) to comply with the 110 security controls identified by the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 Revision 1. That clause, however, did not provide any certification method for compliance. The CMMC takes a step in that direction.
Intended for implementation beginning in 2020, and as presently envisioned by DoD, the CMMC’s five certification levels range from basic hygiene (lowest) to state-of-the-art (highest) and will be based on an assessment of both the contractor’s sophistication and institutionalization of processes. Government solicitations will have the required CMMC level incorporated in the RFP to act as a “go/no-go” check based on the level of the bidding contractor’s cybersecurity certification. In other words, if the contractor does not meet the prerequisite level of cybersecurity certificate, that alone may preclude the contractor from bidding on the contract. As envisioned, the CMMC model is intended to be semi-automated and cost-effective to allow smaller businesses to achieve level one and yet, and agile enough to adapt to emerging cyber threats. Additionally, the CMMC will include a tool for use by that third-party cybersecurity certifiers to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.
According to recent presentations by the DoD, the CMMC program should be launched by January 2020, and the industry can expect to start seeing the certification requirements in contract requests by June 2020, with requirements appearing in DoD RFPs by September 2020. Furthermore, DoD has stated that cybersecurity will be an “allowable cost” in certain contracts; a recognition by DoD of the importance of cybersecurity and the government’s willingness to pay for it to ensure compliant contractors. With the heightened enforcement of cybersecurity standards looming and the possibility disqualification of non-compliant bidders on government solicitations, government contractors should waste no time in moving forward to achieve compliance.