Defense Contractors To See New Cybersecurity Standards, Independent Certification Requirements

Holland & Knight LLP
Contact

Holland & Knight LLP

Details concerning the U.S. Department of Defense's (DoD) new cybersecurity standards are emerging. Called the Cybersecurity Maturity Model Certification (CMMC), compliance with this new set of security standards will be required in order for DoD contractors to compete for contracts. This Holland & Knight client alert will cover what is known about the standards, the certification process and the schedule for implementation of the CMMC program.

Contractors should be aware that DoD is holding briefing sessions for contractors throughout the remainder of the summer. The CMMC website lists the locations of these sessions, and DoD has solicited requests for additional cities. If you are interested in suggesting an additional location, you can submit the request through the CMMC website.

What Will the CMMC Standards Look Like?

The CMMC criteria will be very important to DoD contractors, impacting whether or not a contractor can submit a proposal for a contract for which it would otherwise be eligible. While not yet complete, the CMMC standards will certainly be based at least in part on National Institute of Science and Technology (NIST) Publications 800-171 and 800-171B. NIST Publication 800-171 is the standard on which the current DoD cybersecurity rules are based. NIST 800-171B are the standards to be applied when a contractor is defending against Advanced Persistent Threats. DoD has also stated that it intends to review international cybersecurity laws and regulations, including the United Kingdom, Australia and Japan, and incorporate some of these standards if appropriate.

As developed so far, the CMMC program will contain five "levels" of requirements, with Level 1 being the least stringent. The levels are:

CMMC Level 5

Advance/Progressive;
4 security controls

Map to NIST 800-171B

CMMC Level 4

Proactive;
26 security controls

Map to NIST 800-171B;
26 security controls

CMMC Level 3

Good Cyber Hygiene;
47 security controls

Map to NIST 800-171

CMMC Level 2

Intermediate Cyber Hygiene; 46 security controls

Map to NIST 800-171

CMMC Level 1

Basic Cyber Hygiene;
17 security controls

Map to NIST 800-171

How Will DoD Use the CMMC Standards?

The importance of the new CMMC standards cannot be overstressed. Beginning in June 2020 for requests for information (RFI) and in September 2020 for requests for proposal (RFP), DoD solicitations involving confidential unclassified information will be assigned a level. In order to submit a proposal, a contractor must have a third-party certification that its cybersecurity program complies with the applicable level. In other words, in the absence of the appropriate certification, a contractor will not be able to submit a proposal.

How Does a Contractor Get Certified?

The CMMC program will not accept self-certifications, but will require contractors to obtain third-party certifications as to their compliance with the applicable standards. DoD plans to use nonprofit organizations to train the third-party certifiers, who must go through this training to qualify for the CMMC program. The nonprofit trainers have not been announced to date.

What Is the Schedule for Obtaining Certifications?

DoD plans to release the CMMC standards this September or October. The nonprofit training sessions are scheduled to begin in January 2020. As soon as companies qualify to act as third-party certifiers, they can begin their evaluations and issuance of certifications to contractors. Under the current implementation schedule, DoD RFIs will begin to include the CMMC requirement in June 2020. The requirement will start appearing in RFPs in September 2020.

The development and implementation of the CMMC program is a work in progress. Holland & Knight will continue to monitor and report on new developments.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP
Contact
more
less

Holland & Knight LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.