The Cybersecurity Maturity Model Certification (CMMC) program, first announced in 2019 by the Department of Defense (DoD), aims to enhance the cybersecurity profile of DoD contractors. The original iteration of DoD’s cybersecurity overhaul, CMMC 1.0, was scrapped after a lengthy public comment process, eventually resulting in a new, more streamlined program known as CMMC 2.0. This program requires contractors and subcontractors that store Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the DoD to meet specific cybersecurity requirements as a precondition to compete on DoD federal contracts. CMMC assures the DoD that contractors and subcontractors can meet the cybersecurity requirements that apply to their acquisition programs and protects the DoD’s sensitive information from unauthorized disclosure.

Although the DoD has included cybersecurity standards in federal contracts since 2013, widespread implementation and institutionalization of these practices have been obstructed by contractor indifference to the threat environment, the significant costs associated with compliance, and the lack of compliance verification by the DoD. In a 2019 Department of Defense Office of the Inspector General (DoD OIG) report, “Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems,” the DoD OIG concluded that contractor security controls for networks and systems containing CUI were not consistently implemented. The report, which selected a non-statistical sample of nine contractors with DoD contracts worth $1 million or more, identified deficiencies in all nine contractors. These deficiencies were related to using multifactor authentication, enforcing strong passwords, identifying and mitigating network and system vulnerabilities, and documenting and tracking cybersecurity incidents. The DoD OIG stated, “[because of the stated vulnerabilities] the DoD is at greater risk of its CUI being compromised by cyberattacks from malicious actors who target DoD contractors. Malicious actors can exploit vulnerabilities on the networks and systems of DoD contractors and steal information related to some of the nation’s most valuable advanced defense technologies.” The report led the DoD to conclude that “absent a requirement for defense contractors to demonstrate implementation of standard cybersecurity processes and practices, cybersecurity requirements will not be fully implemented, leaving the DoD and Defense Industrial Base (DIB) unprotected and vulnerable to malicious cyber activity.” Ultimately, the DoD implemented CMMC to address the DIB’s systemically ineffectual cybersecurity ecosystem.

CMMC 2.0 implements a three-tiered model, with progressively advanced levels of cybersecurity depending on the type and sensitivity of the information stored on the contractors’ network infrastructure. The first tier, Foundational Level 1, implements 15 best practices and requires an annual self-assessment and affirmation from a company official that the company is meeting the DoD’s requirements.

Level 1 is designed for contractors and subcontractors storing FCI and must meet only basic cyber hygiene standards, such as ensuring employees regularly change passwords. A certain subset of Level 2 contracts, namely those storing CUI or information critical to national security, will require implementing the 110 practices aligned with NIST SP 800-171 and a triennial certification from Certified Third-Party Assessment Organizations (C3PAOs). The contractor will be fully responsible for obtaining the needed assessment and certification. Lastly, contracts requiring Level 3 compliance, the highest and most stringent CMMC tier, will need government-led triennial evaluations.

HOW CONTRACTORS CAN BEST PREPARE FOR CMMC 2.0

Current guidance from the DoD states that CMMC 2.0 will require an approximate timeline of 9-24 months of rulemaking before it becomes a standard clause in federal contracts. Estimations place the final DoD rulemaking sometime near May 2023, with full implementation of CMMC in DoD contracts 60 days later, or around July 2023. Organizations, especially those that either store CUI or plan to compete on federal contracts in which CUI may be passed from the government to contractor or from the prime contractor to a subcontractor, should work on fully implementing the 110 security controls in NIST SP 800-171, which is currently present in federal contracts as FAR 52.204-21 and DFARS 252.204.7012. Full implementation of NIST SP 800-171 will improve the self-assessment score contractors post to the DOD’s Supplier Performance Risk System (SPRS). The DoD states there may be incentives for improved scores and/or early adoption of CMMC 2.0. Contractors who wish to view the DoD’s requirements for Level 1 and Level 2 compliance can visit the DoD CIO website. The DoD is currently working on a Level 3 Assessment Guide that will be published later.

What to Expect During an Annual Self-Assessment

Annual compliance self-assessments with CMMC will be possible for Level 1 contracts and a specific subset of Level 2 contracts. Along with the senior company’s official affirmation of compliance in SPRS, the annual self-assessment asserts that a contractor meets all basic safeguarding requirements for FCI in FAR Clause 52.204.21. Contractors conducting a self-assessment should specify the scope of their assessment before conducting any compliance review. For a CMMC Level 1 review, the assets that store, process, or transmit FCI are considered in-scope and should be assessed against CMMC Level 1 practices. When conducting the self-assessment, a variety of techniques may be used, including:

1. Examining: Reviewing, inspecting, observing, studying, or analyzing assessment objects
2. Interviewing: Holding discussions with individuals or groups with knowledge of processes
3. Testing: Exercising assessment objects under specified conditions to compare actual with expected behavior

Determining which techniques are most useful for a given self-assessment is left to the contractor’s discretion, who must ensure sufficient evidence exists to demonstrate that they have fulfilled all requirements for Level 1 certification. The self-assessment results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE. To demonstrate Level 1 compliance, the contractor will need a MET or NOT APPLICABLE finding on all Level 1 practices. Statements indicating the response conforms to all objectives, along with supporting evidence, must be included in the self-assessment.

WHAT TO EXPECT WITH CERTIFIED THIRD-PARTY ASSESSMENTS

Certified Third Party Assessors will verify and validate that the contractor has properly implemented each of the practices for CMMC Level 2. The assessor may use various techniques, including those mentioned above (i.e., examining, interviewing, or testing), to determine whether the practices are being met. The Certified Assessor will follow NIST SP 800-171A when determining which assessment methods to use. For example, for interviews, the Assessor will typically have discussions with staff to determine “if CMMC practices are being implemented, as well as if adequate resourcing, training, and planning have occurred for individuals to perform the practices.” Additionally, the Assessor will typically examine contractor documentation to determine if assessment objectives are met. These include policy, process, and procedure documents; training materials; planning documents; and system-level and network diagrams. Lastly, the Assessor will test appropriate processes for compliance.

The assessment of each CMMC Level 2 practice receives a MET, NOT MET, or NOT APPLICABLE rating. Therefore, to achieve a specific CMMC certification, a contractor must obtain a MET or NOT APPLICABLE rating on every practice at their desired level.

WHAT ARE THE RISKS OF CMMC NONCOMPLIANCE

Although the nature of self-assessments may incentivize some contractors to cut corners and conceal their security environment to continue competing for lucrative government contracts, the risks of such behavior have never been higher. Indeed, even third-party assessors can be purposefully led astray with false documentation and coached interviews with staff. Deputy Attorney General Lisa Monaco recently announced the launch of the Department of Justice’s (DoJ) new Civil Cyber-Fraud Initiative. She stated, “we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.” The DoJ initiative plans to utilize the False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. The FCA is a powerful government civil tool meant to claw back funds from contractors and grant recipients who make knowing and “material” misrepresentations to the government. In addition, the Act empowers whistleblowers who know of contractor wrongdoings by protecting them from retaliation and allowing them to share in any recovery.

A little over a year old, the DoJ’s new Civil Cyber-Fraud Initiative has already begun pursuing cases against government contractors for misrepresenting their level of cybersecurity compliance. For example, Comprehensive Health Services recently settled a case with the U.S. Government for $930,000 concerning the company's misrepresentations regarding cybersecurity protections for data stored outside its system. In U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings Inc., Aerojet Rocketdyne, a propulsion and power systems manufacturer for the DoD and NASA, agreed to pay $9 million to settle claims that it violated the FCA by misrepresenting its compliance with DoD cybersecurity requirements.

THE THREAT ENVIRONMENT

Although ordinary cyber criminals and insider threats represent significant attack vectors, the most persistent and sophisticated attackers, particularly when it comes to the DIB, are the advanced persistent threat individuals or groups. Advanced persistent threats (APTs) can be distinguished from ordinary cyber-criminals by their level of organization, choice of specific targets, ability to move laterally within systems once compromised, and the inherent difficulty associated with their detection. On an organizational level, APTs are typically staffed by groups of skilled hackers equipped with voluminous financial and technical resources derived from state sponsorship. This enables APTs to focus on specific targets for extended periods, probing for weaknesses in a persistent manner. Organizations targeted typically possess intelligence, intellectual property, or trade secrets of immense value to nation-state individuals or groups. Once organizational networks are compromised, APTs work to move laterally within the system by obtaining additional privileges and to conceal their intrusion from detection.

APTs possess well-defined attack methodologies perfected through years of experience. They typically begin with spear-phishing or some other form of social engineering to initially compromise an organization. After the initial compromise and establishing a sufficient foothold, APTs escalate privileges, conduct internal reconnaissance, move laterally, and maintain their presence - performing this cyclically while exfiltrating as much data as possible before detection. In the initial compromise phase, APTs frequently target the individual users of an organization using spear-phishing or other social engineering tactics. Spear-phishing messages may contain malicious attachments or links to malicious files or websites. Less commonly, APTs may attempt to gain access by exploiting technical vulnerabilities in public-facing infrastructure. Having gained access, APTs establish a foothold by utilizing public backdoors, such as GhOst RAT and Poison Ivy, or use custom backdoors to control one or more computers in an organization remotely. In the escalation of privileges phase, APTs acquire usernames and passwords within the victim’s network environment. After gaining sufficient privileges, they conduct internal reconnaissance and move laterally within the system to obtain the privileged information they seek. In the maintain presence phase, they take actions to maintain control over systems within the network environment. This is typically accomplished through the installation of new backdoors, as well as through the installation of new families of malware throughout the environment to render the removal of the APT more difficult once detected. The APT cyclically repeats this attack lifecycle until they are detected or removed from the system.

APTs represent a growing threat to organizations and governments around the world. Their state-sponsored nature provides them with a wealth of resources that separate them from more common threat individuals or groups. Addressing this threat requires substantial levels of public-private coordination; a comprehensive, adaptive, and widely subscribed cybersecurity framework; active cyber-defense; and increasing levels of individual awareness of the nature of the threat. Massive amounts of intelligence and hundreds of billions of dollars worth of intellectual property are at risk of being transferred to adversaries if the threat persists in a permissive environment defined by weak security controls and uncoordinated response mechanisms.

CONCLUSION

Federal contractors within the DIB have long represented a critical vulnerability to U.S. national security due to a permissive cybersecurity environment typified by self-assessments, lack of government oversight, and the reluctance of the DoJ to utilize tools like the FCA to punish violators. CMMC 2.0, third-party and government-led assessments, and the DoJ’s Civil-Cyber Fraud Initiative are now acting to prevent these vulnerabilities. Federal contractors that handle FCI and CUI need to quickly address their cyber readiness if they wish to continue to compete for lucrative DoD contracts, which the Government Accountability Office (GAO) estimates topped $421.8 Billion in FY20.

*Associate

¹ DOD OIG Rpt. pg. x

² Id. at i-ii

³ Id. at ii.

⁴ Assessing Contractor Implementation of Cybersecurity Requirements, at 61518.

⁵ See https://DoDcio.defense.gov/CMMC/about/ (last visited Mar. 21, 2023)

⁶ https://www.nist.gov/blogs/manufacturing-innovation-blog/what-nist-sp-800-171-and-who-needs-follow-it-0 (last visited Nov. 23, 2022).

⁷ See https://www.jdsupra.com/legalnews/cmmc-2-0-DoD-advises-industry-to-begin-7344553/. Referencing a recent ABA Section of Public Contract Law’s Cmte. on Cybersecurity’s panel event on CMMC 2.0 and discussing that DOD may be considering incentives for early adopters, which may include providing a 4-year expiration of certification rather than the triennial 3-year certification in the CMMC 2.0 Notice of Proposed Rulemaking. (last visited Nov. 23, 2022).

⁸ https://DoDcio.defense.gov/CMMC/Assessments/ or https://DoDcio.defense.gov/CMMC/. Also note that most, though not all, Level 2 contracts will require a Certified Third-Party Assessment Organization to conduct a compliance review prior to certification (last visited March 13, 2023).

⁹ https://DoDcio.defense.gov/CMMC/Assessments/ (last visited Mar. 21, 2023).

¹⁰ Id.

¹¹ Id.

¹² https://DoDcio.defense.gov/CMMC/Assessments/ (last visited Mar. 21, 2023).

¹³ https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative (last visited Nov. 23, 2022)

¹⁴ Id.

¹⁵ See UNIVERSAL HEALTH SERVICES, INC. v. UNITED STATES ex rel. ESCOBAR, 780 F. 3d 504, [2016], for contention that the implied false certification theory can be a basis of FCA liability when a defendant submits a claim making specific representations about goods or services provided, but fails to disclose noncompliance with material statutory, regulatory, or contractual requirements that makes those representations misleading.

¹⁶ U.S. ex rel. Lawler v. Comprehensive Health Services, Inc., et al., No. 20-cv-698, Dkt. 26-1 (E.D. N.Y. Feb. 28, 2022).

¹⁷ https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity

¹⁸ I. Friedberg et al, "Combating advanced persistent threats: From network event correlation to incident detection," Comput. Secur., vol. 48, pp. 35-57, 2015. (https://www.sciencedirect.com/science/article/pii/S0167404814001461)

¹⁹ MANDIANT, APT1: EXPOSING ONE OF CHINA’S CYBER ESPIONAGE UNITS 27 (2013). (https://www.mandiant.com/resources/reports/apt1-exposing-one-chinas-cyber-espionage-units)

²⁰ Id. at 63

²¹ Id.

²² Id.

²³ https://www.gao.gov/blog/snapshot-government-wide-contracting-fy-2020-infographic (last visited Nov. 23, 2022).