The U.S. Department of Defense (DoD) recently made two announcements relevant to companies tracking the Cybersecurity Maturity Model Certification (CMMC): (1) the DoD will pilot CMMC enforcement on up to seven upcoming contracts that the DoD agencies expect to award in late 2021, and (2) reciprocity will be afforded to contractors that have already received cybersecurity audits pursuant to certain programs. This client alert will provide an overview of these two important updates.
By now, most defense contractors are familiar with the CMMC, which is the DoD’s new cybersecurity certification requirement. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 400,000 companies in the supply chain. The CMMC was developed in response to significant compromises of sensitive information contained in contractor information technology systems. Previously, contractors were responsible for implementing, monitoring, and self-certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Now, contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC shifts the paradigm by mandating third-party assessments of contractors’ compliance with certain practices, procedures, and capabilities to ensure that they can adapt to new and evolving cyber threats from foreign and domestic adversaries. The DoD plans to implement the CMMC requirements through a phased roll-out, with all requirements becoming effective in 2025. We previously discussed the CMMC framework in a September 2019 blog post, a podcast in March 2020, and a client alert in June 2020.
CMMC’s seven pilot programs
In December 2020, the DoD announced that its CMMC third-party certification would be required for up to seven contracts that it expects to award in late 2021:
- Technical Advisory and Assistance (Missile Defense Agency)
- Integrated Common Processor (U.S. Navy)
- F/A-18E/F Full Mod of the SBAR and Shutoff Valve (U.S. Navy)
- DDG-51 lead yard services/follow yard services (U.S. Navy)
- Mobility Air Force Tactical Data Links (U.S. Air Force)
- Consolidated Broadband Global Area Network Follow-On (U.S. Air Force)
- Azure Cloud Solution (U.S. Air Force)
As of February 22, 2021, none of the solicitations for these contracts had been released.1
If the DoD ultimately approves any or all of these procurements as pilots for the CMMC, offerors will need to be certified at the CMMC level required by the solicitation concerned and will have to flow down the appropriate CMMC requirements to subcontractors upon award. We anticipate, based upon the DoD’s pubic statements, that these solicitations will require contractor certification at a Level 3,2 at a minimum.
The DoD Chief Information Security Officer (CISO) has indicated that the 2021 pilots are just the beginning. We anticipate that a total of 15 solicitations will incorporate CMMC requirements by the end of 2021. Once CMMC is fully implemented by 2025, nearly all members of the DIB will be required to have CMMC certifications in place. Additionally, every DoD solicitation will require that contractors are certified at a specific CMMC level before bidding on the solicitation.
The DoD has signaled that it is focused on reducing costs for contractors as they work toward compliance with the requirements of the CMMC. In this regard, Ms. Katie Arrington, DoD CISO for Acquisition and Sustainment, has publicly stated that CMMC reciprocity may be available for certain government certification programs already in existence. One program that the DoD has suggested might be a candidate for reciprocity is the Federal Risk and Authorization Management Program (FedRAMP). Similarly, Stacy Bostjanick, CMMC’s director at the DoD Office of the Undersecretary of Defense for Acquisition and Sustainment, has indicated that a team is working with the General Services Administration and the DoD to align the requirements, methodologies, and levels of the CMMC and FedRAMP programs.
Additionally, the DOD has reported that it completed its reciprocity assessment for the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The DIBCAC was established in 2017 and performs provisional audits, as well as spot-assessments of contractors after cybersecurity incidents. Currently, there is a guidance memo pending signature that is expected to solidify the extent to which contractors assessed by the DIBCAC will be granted reciprocity with respect to their CMMC certification.
Reciprocity has been a key discussion point for reducing costs for contractors as they strive to comply with the CMMC requirements. We expect the DoD to provide more information in the coming months about reciprocity between CMMC requirements and other cybersecurity audit programs. This information will be critical to contractors seeking to obtain certification.