The U.S. Department of Defense (DoD) released version 1.0 of its Cybersecurity Maturity Model Certification (known as CMMC) on Jan. 31, 2020. The CMMC model draws heavily on the National Institute for Standards and Technology's (NIST) Special Publication (SP) No. 800-171, as well as other cyber protection standards. Once DoD's rollout of the CMMC program is complete, contractors will need to have third-party certifications in order to be awarded DoD contracts.
While DoD implements all the elements of CMMC, DoD contractors will still need to comply with the existing DoD cybersecurity regulations, which went into effect on Jan. 1, 2017. These regulations require covered DoD contractors to: 1) comply with the NIST SP 800-171 cybersecurity standards; 2) report cyber incidents to DoD within 72 hours of discovery; 3) investigate cyber incursions while preserving affected media/data for 90 days and, if applicable, submit malicious software (discovered in connection with a reported cyber incident) to the DoD Cyber Crime Center; and 4) allow DoD access to impacted systems so it can do its own investigation. DFARS 252.204-7012. Small businesses and contractors providing commercial goods and services to DoD are not excluded from this requirement.
DoD has long believed that contractors' compliance with the DFARS clause has been uneven, posing a substantial security risk. CMMC, with its requirement for a third-party certification, is designed to minimize this risk.
There will be five levels of available certification that will be based on the level of the contractor's cybersecurity hygiene. Level 5 is attainable for contractors with the most robust security controls, while the most basic level is Level 1. Each higher level will incorporate the security controls in the previous level and expand on those requirements.
This chart summarizes the levels:
When issuing a solicitation, the agency will assign a level to a contract based on the type of information a contractor will create, have access to and house. Prime contractors bidding on that contract will need to be certified at that level at the time of award. The current expectation is that subcontractors who do not have access to all information will only be required to be certified at a lower level.Levels 1-3 represent "good cyber hygiene." Level 3 closely mirrors the security controls outlined in NIST SP 800-171 in addition to about two dozen other security controls. According to the glossary in the latest model released by DoD, "Practices" referenced in the chart are specific technical activities "that are required and performed to achieve a specific level of cybersecurity maturity for a given capability within a domain" and "Processes" are "procedural activit[ies] that [are] required and performed to achieve a capability level."
Importantly, it does not matter if the contractor or subcontractor is large or small, or if they provide commercial products and services to DoD. Further, CMMC is a requirement no matter what type of DoD information the contractor handles. Presumably, the less sensitive the information, the lower the level will be assigned to the contract. Further, it is expected that certifications will require renewal every three years.
CMMC Version v1.0
As noted above, DoD recently released CMMC v1.0. Included in the release were three documents:
- A CMMC Model Briefing that summarizes the model and offers other high level information including the level progression.
- Appendices to CMMC Model v1.0 that detail what is required for each Process/Practice, provide a glossary and reference other information.
In all, the model and supporting documents are nearly 400 pages long and explain the cybersecurity practices that contractors must adopt if they want to be certified and continue doing business with DoD.
The Expected Certification Process
DoD will not certify contractors. Instead, certification will be accomplished using assessors employed by private entities. These assessors will be trained and certified by an Accreditation Board (AB), which will also supply the certifications upon the assessor's recommendation.
Although the details about the assessment process have not yet been established (such as an order of assessments), the structural elements have begun to take shape with the establishment of the AB. Holland & Knight recently hosted an event that featured Katherine Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition, ASD(A), for Cybersecurity, and members of the newly formed AB, including chair Ty Schieber from the University of Virginia and board member Mark Berman, CEO of FutureFeed. From the event and the AB's website, we learned that:
- The AB will develop training to train cybersecurity assessors and certify their ability to conduct cybersecurity assessments.
- Even though they will be trained by the AB, cybersecurity assessors will be employed by third-party companies.
- Assessors will be certified to a certain level, but they will have the ability to be "promoted" to higher levels with the proper experience.
- The AB Board anticipates there may be other accreditation boards that issue certifications for companies outside the United States.
The timeline for all of this happening is aggressive, with training to begin in the spring/summer 2020. DoD will publish proposed changes to its existing DFAR regulations and clause in the near future, targeting the spring/summer for a final rule.
Initially, DoD maintained that all Requests for Information (beginning June 2020) and Requests for Proposal (beginning September 2020) would be subject to CMMC. Recently, DoD announced a more gradual rollout, beginning with larger defense contractors and contracts.
No matter the schedule, CMMC will be a dramatic change for many contractors, particularly those that are not yet compliant with the existing DFARS clause. Contractors should now be considering:
- Cost: DoD maintains that the cost of an assessment will not be prohibitive, but it has no direct control of costs charged by third parties. DoD has said that the costs of compliance will be allowable, but has not provided any specific guidance as to cost allowability. Significant questions remain, such as how compliance costs will impact pricing and whether the costs will price small businesses out of the market.
- Level Setting: DoD will likely issue internal guidance, at the least, to help contracting agencies set the correct level for each contract. Nevertheless, the challenge will be setting the appropriate level required for each contract. Contracting agencies within DoD may be tempted to assign higher levels than necessary to avoid backlash if there is a breach, utilize a certain level to artificially limit competition or utilize a higher level to support a sole source award.
- Evolving Level Requirements: DoD anticipates that the requirements for the levels will evolve year-by-year due to the changes in the cybersecurity environment. It will be important for contractors to pay attention to differences during performance of contracts and especially during re-certifications.
- Disputes: The AB is considering, but has not yet announced, how it will handle cases in which a contractor wishes to challenge a third-party assessor's determination.
Contractors have resources to turn to and help them through the challenges of CMMC compliance. First, Holland & Knight will continue to hold public events with industry leaders. Please sign up for our mailing list to be among the first to find out. Our previous event sold out after registering more than 330 attendees, and we expect to hold events outside the D.C. metropolitan area this spring. Second, helpful information can be find on both the AB's website and the DoD's website.
As CMMC rolls out, contractors should pay close attention to requirements and proposed regulations as they continue to develop. Contractors without DoD contracts should also pay close attention because it would not be surprising to see civilian agencies start to adopt a similar framework/requirement.
As always, reach out to Holland & Knight's government contracts attorneys if you have further questions.