The DoD Has Released the Final Cybersecurity Maturity Model Certification - Now What?
The U.S. Department of Defense (DoD) released its much-anticipated Cybersecurity Maturity Model Certification (CMMC) (version 1.0) after multiple draft iterations and significant input from University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry. DoD contractors should take immediate steps to learn the CMMC's technical requirements and prepare not only for certification, but long-term cybersecurity agility.
Details on how the CMMC assessments will be conducted, and how to challenge those assessments, are anticipated soon. DoD contractors that have already started to evaluate their practices, procedures, and gaps when the details are finalized will be well-positioned to quickly navigate the process and meet the mandatory CMMC contract requirements for upcoming projects.
The CMMC is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB) which includes over 300,000 companies in the supply chain. The CMMC is DoD's response to multiple significant compromises of sensitive defense information located on contractors' information systems. Previously, contractors were responsible for implementing, monitoring, and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Contractors still remain responsible for implementing critical cybersecurity requirements but the CMMC changes this paradigm by requiring third-party assessments of contractors' compliance with certain mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats from adversaries.
The CMMC Framework
The CMMC establishes five certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information on contractors' information systems. The five levels are tiered and build upon each other's technical requirements. Each level requires compliance with the lower level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices. The relevant processes and practices of each level are provided in short below:
- Level 1: a company must perform "basic cyber hygiene" practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI).1
- Level 2: a company must document certain "intermediate cyber hygiene" practices to begin to protect any Controlled Unclassified Information (CUI)2 through implementation of some of the U.S. Department of Commerce National Institute of Standards and Technology's Special Publication 800-171 Revision 1 (NIST 800-171 r1) security requirements.
- Level 3: a company must have an institutionalized management plan to implement "good cyber hygiene" practices to safeguard CUI, including all the NIST 800-171 r1 security requirements as well as additional standards.
- Level 4: a company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices that detect and respond to changing tactics, techniques, and procedures of Advanced Persistent Threats (APTs).3
- Level 5: a company must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors, and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies' CMMC levels. DoD predicts that it will begin to include minimum certification requirements in Requests for Information (RFIs) as early as June 2020 and in select Requests for Proposals (RFPs) in September 2020. DoD has also indicated that a prime-level certification requirement will not necessarily be the same certification level required throughout its entire supply chain for a given contract. Differing certification levels on a single contract have the potential to raise complex implementation challenges for primes and subcontractors alike.
Legal Implications and Takeaways
- Certification Preparation Starts Now: Accreditation procedures and accreditors have not yet been established but we expect details soon. DoD estimates that the DIB includes more than 300,000 contractors and they will all need certification to continue to compete for DoD contracts. Companies that are prepared for the certification process could result in a more efficient assessment with positive end results. Contractors should begin taking immediate steps to: (1) clearly document practices and procedures with those requirements with which they are already in compliance, and (2) plan for and implement further procedures and practices to obtain the highest certification level possible. Prime contractors also should begin (or continue) working with subcontractors throughout the supply chain contractors to assist in developing compliance programs where necessary or reviewing programs already in place.
- Engage with Agencies: Offerors should closely review RFIs and RFPs that include minimum certification requirements to ensure the assessed level is not unnecessarily burdensome and that it provides enough clarity for the certification level required throughout the supply chain. Offerors should consider providing feedback to DoD during the market research stage and during an RFP's question and answer process. If the issue is not resolved to the offeror's satisfaction, the offeror could consider bringing a pre-award protest—although, as a general matter, the U.S. Government Accountability Office and the Court of Federal Claims likely will be deferential to DoD on questions related to national security and technical requirements.
- Challenging Assessments: One of the most significant concerns for contractors of all sizes is what type of due process will be available if a certification level or audit result is erroneous. The CMMC assessments could have a significant impact on contractors' ability to meet minimum contract requirements and a low rating could limit a contractor's ability to meaningfully compete for work. Currently, the CMMC does not establish a contractor's right of appeal, although DoD indicates it is coming. This is an important development to follow. Where possible, contractors should provide DoD detailed feedback on any proposed due process procedures to ensure it is adequate.
For more information, please contact:
Marcus A.R. Childress*
Preston L. Pugh*
Abigail T. Stokes*
*Former Miller & Chevalier attorney
1FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government" but not public information or certain transactional information. FAR 52.204-21(a).
2CUI is "any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls" but does not include certain classified information. U.S. Dep't of Commerce Nat'l Institute of Standards (NIST) and Tech.'s Special Pub. NIST 800-171 (rev. 1) at 1 n3, NIST (Dec. 2016), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf.
3An APT is an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors. (e.g., cyber, physical, and deception). CMMC (ver. 1) at 5, U.S. Office of the Under Sec'y of Defense for Acquisition & Sustainment (Jan. 30, 2020), https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf.
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.