DOD Issues “Draft Version 0.6” of Its Cybersecurity Maturity Model Certification, Part of an Initiative That Likely Will Have Critical Ramifications for All Companies Seeking to Conduct Business with DOD

Cameron Hamrick
Miles & Stockbridge P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On November 7, 2019, DOD issued “Draft Version 0.6” of its Cybersecurity Maturity Model Certification (CMMC) – a 90-page document that is available on DOD’s CMMC website.  Version 0.6 is a significant step forward, but there are still a large number of unanswered questions concerning the CMMC initiative.

Background

In October 2016, DOD issued a final rule implementing the current version of the clause at DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting.”  The clause is costly and burdensome, requiring (for example) compliance with 110 security requirements in NIST Special Publication 800-171.  In large part, DOD has relied on contractor self-attestation of compliance with the clause.  However, DOD has concluded that steps taken to date are not enough and that the level of contractor compliance is unsatisfactory.  

CMMC Overview

Accordingly, earlier this year, DOD launched the CMMC initiative, which is being headed up by the Office of the Undersecretary of Defense for Acquisition and Sustainment.  DOD is working with various groups, including Johns Hopkins and Carnegie Mellon, to develop the CMMC, which will review and combine various cybersecurity standards into one unified standard.  The intent is for certified independent third-party organizations to conduct audits of the entire DOD supply chain.  The CMMC initiative is significant – DOD has stated that compliance with one of the five “Levels” (discussed further below) in a specific solicitation will be a “Go/No Go” decision, meaning you fully comply with that Level or you cannot compete.  All companies will have to obtain the appropriate certification in order to do business with DOD.

CMMC Version 0.4

DOD issued CMMC Version 0.4 on September 5, 2019, and asked for comments by September 25, 2019.  Despite that short turnaround, DOD received 2,000 comments.  Version 0.4 specified five CMMC Levels, with Level 1 constituting “Basic cybersecurity,” and Level 5 reflecting “Highly advanced cybersecurity practices.”  Version 0.4 also specified 18 “Domains” based on cybersecurity best practices.  The Domains are comprised of “Capabilities,” which in turn consist of “Practices” and “Processes” mapped across the five Levels.

Draft Version 0.6

DOD has now issued the next public version, “Draft” Version 0.6, which DOD states “significantly reduces the model size, modifies the practices and processes, and provides clarifications and examples for CMMC Level 1.”  Version 0.6 includes information on Levels 1 through 3, with “clarifications” for Level 1 in an appendix – those clarifications map to the 15 safeguarding requirements specified at FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information systems.”  However, Version 0.6 notes that updates to Levels 4 and 5 will be provided later because DOD is still addressing the public comments it received.  The new Version keeps the Domains/Capabilities/Practices and Processes framework (reducing the number of Domains from 18 to 17).  Examples of Domains are “Asset Management” and “Incident Response.”  Version 0.6 also describes “Process Maturity,” which is defined as “the extent of institutionalization of practices at an organization.”  There are no maturity processes assessed at Level 1, but Version 0.6 describes such processes associated with the other four Levels.  

The CMMC Schedule

The CMMC Schedule appears to be evolving.  The schedule in Version 0.4 stated that “CMMC Rev.1” would be released in January 2020, and would be included in RFIs in June 2020 and RFPs in the Fall of 2020.  Version 0.6 now states that “CMMC Model Version 1.0” will be released in late January 2020, and is silent on the other two dates.  As such, DOD may be reassessing its prior schedule – and with good reason.  In early October of this year, DOD issued an RFI to non-profit organizations related to the establishment of a CMMC “Accreditation Body,” and indicating that to obtain CMMC certification, companies will coordinate with an independent CMMC Third-Party Assessment Organization (C3PAO) that has been accredited by the Accreditation Body.  Moreover, the RFI estimates that the number of organizations requiring CMMC certifications is 300,000.  Accordingly, DOD has still not established an Accreditation Body, which is a precursor to starting the certification process for 300,000 organizations, which raises substantial doubts about DOD’s ability to certify all of those organizations in time to include CMMC in RFPs by the Fall of next year.

Open Questions

The CMMC initiative raises a host of other questions, including:

  • How will DOD determine specific Levels for each procurement?
  • How long will it take to become certified at each Level, and what will those processes entail?
  • How long will a certification Level assigned to a contractor remain valid?
  • What rights will contractors have to disagree with/appeal from assessments by certifiers?
  • Will CMMC apply to grants and cooperative agreements?

Conclusion

DOD is not going through the formal notice and comment process using a notice of proposed rulemaking in the Federal Register.  Moreover, Version 0.6 does not ask for comments from the public.  DOD is clearly still processing the 2,000 comments it received on Version 0.4.  The CMMC initiative will continue to evolve, perhaps significantly, amidst a swirl of unanswered questions.  But the initiative is potentially as important as the October 2016 final rule implementing the current version of DFARS 252.204-7012, in part because all companies wishing to conduct business with DOD will have to achieve the appropriate certification Level.  Failure to do so, in the eyes of a third-party certifier, means your proposal will not even be considered.  This is a critical development.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miles & Stockbridge P.C. | Attorney Advertising

Written by:

Miles & Stockbridge P.C.
Miles & Stockbridge P.C.
Contact
more
less

Miles & Stockbridge P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide